Manual Pages

Table of Contents


na_protocolaccess - Describes protocol access control


Protocol access control defines a method to restrict access to the node on a protocol-by-protocol basis. For example, the command options rsh.access host=admin restricts access to rsh to a host named admin. Access can be restricted by host name, IP address, and/or network interface name.


The syntax is as follows:

options protocol.access access_spec [ AND | OR [ ( ] access_spec [ ) ] ... ]

protocol is currently one of the following: rsh, telnet, ssh, httpd, httpd.admin, snmp, ndmpd, snapmirror, or snapvault.

access_spec is composed of keywords and their values. Currently the following keywords and values are defined:

host [=|!=] host spec
netgroup [=|!=] netgroup spec
if [=|!=] network interface spec all

host spec is a comma separated list consisting of either a host name, an IP address, or an IP address with a netmask. Valid host name is a string and cannot contain the following characters: "=", "(", ")", "!", "*", and "," . An IP address is of the format . If the IP address contains a netmask, then the format is: where mm represents the number of bits from the left.

network interface spec is a comma separated list of one or more network interface names. Valid network interface names can be obtained from the ifconfig -a command.

netgroup spec is a comma separated list consisting of names of one or more netgroups(group of hosts).

The access specs may be and'ed and or'ed by the keywords AND and OR respectively. The keywords AND and OR are not case-sensitive.

Operational precedence is from left to right. Parentheses may be used to force operational order.

The keyword all is used to allow access to all. The keyword none is used to allow access to none. The legacy keyword is used to specify previous behavior. For example, the legacy behavior of telnet is to use trusted.hosts, while the legacy behavior of rsh is to allow all.

The access spec can be a "*" which matches all. This is the same as the all keyword. If the access spec is a "-", then all access is denied. This is the same as the none keyword.

The difference between setting the host value to an IP address or a host name becomes apparent when the matching occurs. IP addresses are matched before the connection is made. If access is denied, the connection is not made and the client times out. Therefore, specifiyng the IP address lessens the impact of denial of service attacks. Host names are matched after the connection is made, and therefore the client is informed that access is denied.

If httpd.admin.access is not set to legacy, then trusted.hosts is ignored for httpd.admin. If telnet.access is not set to legacy, then trusted.hosts is ignored for telnet. If snapmirror.access is not set to legacy, then the /etc/snapmirror.allow file is ignored for snapmirror destination checking.


Here are some protocol access control examples:

Allow an NDMP server to accept control connection request from any client.

options ndmpd.access legacy

Allow remote shell access for only one host named gnesha.zo.

options rsh.access "host = gnesha.zo"

Allow access for Telnet subnet 10.42.69.

options telnet.access host=

Allow ssh access for hosts abc and xyz when on network interface e0.

options ssh.access "host=abc,xyz AND if=e0"

Allow access to SNMP for network interfaces e0, e1, and e2.

options snmp.access if=e0,e1,e2

Do not allow access to HTTPD for network interface e3.

options httpd.access "if != e3"

Allow access to administrative HTTPD from for two hosts.

options httpd.admin.access host=champagne,tequilla

Disallow all access to Telnet.

options telnet.access "host=-"

Set httpd.admin to use previous trusted.hosts access

options httpd.admin.access legacy

Point SnapMirror to the (deprecated) /etc/snapmirror.allow file to check access to sources from other nodes.

options snapmirror.access legacy

Allow a SnapVault server to accept any client requests.

options snapvault.access all

Allow telnet access for all hosts in the netgroups admin_hosts and it_hosts. Both netgroups admin_hosts and it_hosts are defined in /etc/netgroup.

options telnet.access "netgroup = admin_hosts,it_hosts"

Allow telnet access for all hosts except those in the netgroup admin_hosts. Netgroup admin_hosts is defined in /etc/netgroup.

options telnet.access "netgroup != admin_hosts"

Note: quotes are needed around access specifications that include blanks.


na_options(1), na_http(8), na_rshd(8), na_snmpd(8), na_netgroup(5)

Table of Contents