Alternatively, you can specify protection by service instead of by host, by using the TCP class.
Note: For more information about the TCP class, see the Reference Guide.
Use the TCP class to control incoming and outgoing services.
For example, the following commands create a record for the ftp service, with READ (meaning the service can be used) as default access type, but prevent hosts that match the name pattern PUBLIC* from receiving the service.
newres TCP ftp defaccess(READ) authorize‑ TCP ftp hostnp(PUBLIC*) access(N)
You can also specify that a particular user or group be only permitted to receive a particular service. For example, to allow all users to ftp to a host called hermes, but to specify that only members of the group called acctng can access hermes with telnet, enter the following commands:
newres HOST hermes newres TCP ftp owner(nobody) defaccess(read) newres TCP telnet owner(nobody) defaccess(read) authorize TCP ftp uid(*) host(hermes) access(write) authorize TCP telnet gid(acctng) host(hermes) access(write)
Note: defaccess(read) disables outgoing services. defaccess(write) disables incoming services.
If the HOST class is active (that is, if it is used as a criterion for access), then the TCP class cannot effectively be active. You can use the command setoptions class‑ HOST to deactivate the HOST class; then use the command setoptions class+ TCP (if necessary) to activate the TCP class. Deactivating the HOST class automatically deactivates GHOST, HOSTNET, and HOSTNP as well.
Also, if the TCP class is active, use the setoptions command class- CONNECT to deactivate the CONNECT class.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|