.TH SERV.ACCESS 5.SH NAMEserv.access \- Internet service access list.SH SYNOPSIS.B /etc/serv.access.SH DESCRIPTION.de SP.if t .sp 0.4.if n .sp..The.B serv.accessfile contains a list of rules that guide the access checks made by the.BR servxcheck (3)function.  The file is a text file containing entries that look as follows:.PP.RS.I service1 service2.RB ... :.I check1 check2.RB ... ;.RE.PPEach of the service names is a service name from the.B /etc/servicesfile.  The same names are used in the.B /etc/inetd.confconfiguration file that guides.BR inetd (8)..PPThe checks may look as follows:.PP.BI +.br.BI -.RSAllow all, or allow none.  Used to explicitly set the initial state..RE.PP.BI + name.RSGrant access to one of the services if the host name of the remote systemmatches.BR name ..RE.SP.BI \- name.RSDeny access to one of the services if the host name of the remote systemmatches.BR name ..RE.PP.BI + ipaddr.br.BI \- ipaddr.br.BI + netaddr / len.br.BI \- netaddr / len.RSGrants or denies access to a remote host with IP address.IR ipaddr ,or the remote host whose IP address is within the network.IR netaddr ..I Lentells the number of bits used for the network address, i.e. the top.I lenbits of the network address must equal the host address..RE.PP.BR log.RSThis is not a check, but a flag that instruct.B servxcheck()to log the result of the access check whether it succeeds or not to.BR /usr/adm/log .By default only failure is logged..RE.PPThe first "+" or "\-" access check sets the tone.  Read it as "access deniedunless +...", or "access granted unless \-...".  An access check willtherefore almost always start with a "+" check.  To make the initial stateclear you can start with a lone "+" or "\-".  Checks are done from leftto right.  A check that doesn't match does not change the outcome.  A checkthat can't change the outcome is skipped..PPBoth the service and the host names may contain the.B "\(**"wildcard that matches any number of characters including none.  Letters arecompared ignoring case.  A service name may appear in more than one rule,but a service mentioned explicitly is not matched by wildcard patterns inlater rules..PPA check for a hostname causes.B servxcheck()to do a reverse lookup on the IP address of the remote host to find itsname.  This name is then looked up to find the host's IP address(es).If those lookups fail then all.BI \- namechecks cause access to be denied, and no.BI + namecheck grants access.The DNS lookup failures may be amisconfiguration, but could indicate a break-in attempt from a badlymaintained host.  You can use a simple "+*" in an otherwise empty list tojust deny misconfigured hosts..PPAn IP or network address check is simply done on the remote hosts IPaddress.  Such a check has no overhead, but a.B logflag will cause a reverse lookup anyway..PPComments start with "#" and continue until end of line..SH EXAMPLESExample access file on a machine that offers most services only to hosts withinthe cs.vu.nl domain, and news (nntp) only to two machines and a specificnetwork..PP.RS.nf.ta +2.2i +.4i# Service	# Access listlogin shell:	+*.cs.vu.nl log;telnet pop smtp finger:	+ log;nntp:	+flotsam.cs.vu.nl +jetsam.cs.vu.nl		+172.16.102.0/24 log;*:	+*.cs.vu.nl;.fi.RE.PPMore paranoid example that limits all services by default, but allows ftp andhttp to the world:.PP.RS.nf.ta +2.2i +.4i# Service	# Access listftp http:	+;smtp finger:	+ log;nntp:	+flotsam.cs.vu.nl +jetsam.cs.vu.nl		+172.16.102.0/24 log;*:	+*.cs.vu.nl log;.fi.RE.PP(Note that the last rule doesn't match any of the services mentionedexplicitly earlier.).SH FILES.TP 25n.B /etc/serv.accessThe service access check file..SH "SEE ALSO".BR servxcheck (3),.BR services (5),.BR inetd.conf (5)..SH NOTESIt may be wise not to put checks on telnet.  It is reasonably secure, sinceit always requires a password, and your only way in if things are seriouslyhosed..SH BUGSIP and DNS based access checks will stop most crackers, but not the reallydetermined ones.  Luckily MINIX 3 is sufficiently strange to thwart the wellknown cracking schemes.  But don't ever allow yourself to feel secure..SH AUTHORKees J. Bot <kjb@cs.vu.nl>