[deployment-guide/comm-rel: 346/727] Updated the `acl' statement description.

Jaromir Hradilek jhradile at fedoraproject.org
Tue Oct 19 12:53:45 UTC 2010 

commit 0e19608ec44fe6fe1c522849eb78bc25a382f67a
Author: Jaromir Hradilek <jhradile at redhat.com>
Date:   Thu Aug 12 12:31:22 2010 +0200

    Updated the `acl' statement description.

 en-US/The_BIND_DNS_Server.xml |  137 +++++++++++++++++++++++++----------------
 1 files changed, 84 insertions(+), 53 deletions(-)
---
diff --git a/en-US/The_BIND_DNS_Server.xml b/en-US/The_BIND_DNS_Server.xml
index ca0d05c..f54a7d2 100644
--- a/en-US/The_BIND_DNS_Server.xml
+++ b/en-US/The_BIND_DNS_Server.xml
@@ -309,70 +309,101 @@
       <para>
         The following types of statements are commonly used in <filename>/etc/named.conf</filename>:
       </para>
-      <section id="s3-bind-namedconf-state-acl">
-        <title><command>acl</command> Statement</title>
-        <para>
-          The <command>acl</command> (Access Control List) statement defines groups of hosts which can then be permitted or denied access to the nameserver.
-        </para>
-        <para>
-          An <command>acl</command> statement takes the following form:
-        </para>
-        <screen>acl <replaceable>&lt;acl-name&gt;</replaceable> {
-<replaceable>&lt;match-element&gt;</replaceable>;
-[<replaceable>&lt;match-element&gt;</replaceable>; ...]
-};</screen>
-        <para>
-          In this statement, replace <replaceable>&lt;acl-name&gt;</replaceable> with the name of the access control list and replace <replaceable>&lt;match-element&gt;</replaceable> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or CIDR network notation (such as <command>10.0.1.0/24</command>) is used to identify the IP addresses within the <command>acl</command> statement.
-        </para>
-        <para>
-          The following access control lists are already defined as keywords to simplify configuration:
-        </para>
-        <itemizedlist>
-          <listitem>
-            <para>
-              <command>any</command> — Matches every IP address
-            </para>
-          </listitem>
+      <variablelist>
+        <varlistentry>
+          <term><command>acl</command></term>
           <listitem>
             <para>
-              <command>localhost</command> — Matches any IP address in use by the local system
+              The <command>acl</command> (Access Control List) statement defines groups of hosts, so that they can be permitted or denied access to the nameserver. It takes the following form:
             </para>
-          </listitem>
-          <listitem>
+            <screen>acl <replaceable>acl-name</replaceable> {
+  <replaceable>match-element</replaceable>;
+  ...
+};</screen>
             <para>
-              <command>localnets</command> — Matches any IP address on any network to which the local system is connected
+              The <replaceable>acl-name</replaceable> statement name is the name of the access control list, and the <replaceable>match-element</replaceable> option is usually an individual IP address (such as <literal>10.0.1.1</literal>) or a CIDR network notation (for example, <literal>10.0.1.0/24</literal>). For a list of already defined keywords, see <xref linkend="table-bind-namedconf-common-acl" />.
             </para>
-          </listitem>
-          <listitem>
+            <table id="table-bind-namedconf-common-acl">
+              <title>Predefined access control lists</title>
+              <tgroup cols="2">
+                <colspec colname="keyword" colnum="1" colwidth="20*" />
+                <colspec colname="description" colnum="2" colwidth="60*" />
+                <thead>
+                  <row>
+                    <entry>
+                      Keyword
+                    </entry>
+                    <entry>
+                      Description
+                    </entry>
+                  </row>
+                </thead>
+                <tbody>
+                  <row>
+                    <entry>
+                      <option>any</option>
+                    </entry>
+                    <entry>
+                      Matches every IP address.
+                    </entry>
+                  </row>
+                  <row>
+                    <entry>
+                      <option>localhost</option>
+                    </entry>
+                    <entry>
+                      Matches any IP address that is in use by the local system.
+                    </entry>
+                  </row>
+                  <row>
+                    <entry>
+                      <option>localnets</option>
+                    </entry>
+                    <entry>
+                      Matches any IP address on any network to which the local system is connected.
+                    </entry>
+                  </row>
+                  <row>
+                    <entry>
+                      <option>none</option>
+                    </entry>
+                    <entry>
+                      Does not match any IP address.
+                    </entry>
+                  </row>
+                </tbody>
+              </tgroup>
+            </table>
             <para>
-              <command>none</command> — Matches no IP addresses
+              The <command>acl</command> statement can be especially useful with conjunction with other statements such as <command>options</command>. <xref linkend="example-bind-namedconf-common-acl" /> defines two access control lists, <literal>black-hats</literal> and <literal>red-hats</literal>, and adds <literal>black-hats</literal> on the blacklist while granting <literal>red-hats</literal> a normal access.
             </para>
-          </listitem>
-        </itemizedlist>
-        <para>
-          When used in conjunction with other statements (such as the <command>options</command> statement), <command>acl</command> statements can be very useful in preventing the misuse of a BIND nameserver.
-        </para>
-        <para>
-          The following example defines two access control lists and uses an <command>options</command> statement to define how they are treated by the nameserver:
-        </para>
-        <screen>  acl black-hats {
-  10.0.2.0/24;     192.168.0.0/24;     1234:5678::9abc/24;};
-  acl red-hats {     10.0.1.0/24;  };
+            <example id="example-bind-namedconf-common-acl">
+              <title>Using <command>acl</command> in conjunction with <command>options</command></title>
+              <screen>acl black-hats {
+  10.0.2.0/24;
+  192.168.0.0/24;
+  1234:5678::9abc/24;
+};
+acl red-hats {
+  10.0.1.0/24;
+};
 options {
   blackhole { black-hats; };
   allow-query { red-hats; };
   allow-query-cache { red-hats; };
-}</screen>
-        <para>
-          This example contains two access control lists, <command>black-hats</command> and <command>red-hats</command>. Hosts in the <command>black-hats</command> list are on the blacklist, while hosts in the <command>red-hats</command> list are given normal access.
-        </para>
-        <important>
-          <title>Important</title>
-          <para>
-            It is recommended to restrict recursive DNS services for only a particular subset of clients via allow-query-cache option. Otherwise nameserver will be easy target for DDoS attack.
-          </para>
-        </important>
-      </section>
+};</screen>
+            </example>
+            <!-- TODO: Move this admonition to the "options" statement description.
+            <important>
+              <title>Important</title>
+              <para>
+                It is recommended to restrict recursive DNS services for only a particular subset of clients via allow-query-cache option. Otherwise nameserver will be easy target for DDoS attack.
+              </para>
+            </important>
+            -->
+          </listitem>
+        </varlistentry>
+      </variablelist>
       <section id="s3-bind-namedconf-state-inc">
         <title><command>include</command> Statement</title>
         <para>

More information about the docs-commits mailing list