[deployment-guide/comm-rel: 346/727] Updated the `acl' statement description.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 12:53:45 UTC 2010
commit 0e19608ec44fe6fe1c522849eb78bc25a382f67a
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Thu Aug 12 12:31:22 2010 +0200
Updated the `acl' statement description.
en-US/The_BIND_DNS_Server.xml | 137 +++++++++++++++++++++++++----------------
1 files changed, 84 insertions(+), 53 deletions(-)
---
diff --git a/en-US/The_BIND_DNS_Server.xml b/en-US/The_BIND_DNS_Server.xml
index ca0d05c..f54a7d2 100644
--- a/en-US/The_BIND_DNS_Server.xml
+++ b/en-US/The_BIND_DNS_Server.xml
@@ -309,70 +309,101 @@
<para>
The following types of statements are commonly used in <filename>/etc/named.conf</filename>:
</para>
- <section id="s3-bind-namedconf-state-acl">
- <title><command>acl</command> Statement</title>
- <para>
- The <command>acl</command> (Access Control List) statement defines groups of hosts which can then be permitted or denied access to the nameserver.
- </para>
- <para>
- An <command>acl</command> statement takes the following form:
- </para>
- <screen>acl <replaceable><acl-name></replaceable> {
-<replaceable><match-element></replaceable>;
-[<replaceable><match-element></replaceable>; ...]
-};</screen>
- <para>
- In this statement, replace <replaceable><acl-name></replaceable> with the name of the access control list and replace <replaceable><match-element></replaceable> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or CIDR network notation (such as <command>10.0.1.0/24</command>) is used to identify the IP addresses within the <command>acl</command> statement.
- </para>
- <para>
- The following access control lists are already defined as keywords to simplify configuration:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <command>any</command> — Matches every IP address
- </para>
- </listitem>
+ <variablelist>
+ <varlistentry>
+ <term><command>acl</command></term>
<listitem>
<para>
- <command>localhost</command> — Matches any IP address in use by the local system
+ The <command>acl</command> (Access Control List) statement defines groups of hosts, so that they can be permitted or denied access to the nameserver. It takes the following form:
</para>
- </listitem>
- <listitem>
+ <screen>acl <replaceable>acl-name</replaceable> {
+ <replaceable>match-element</replaceable>;
+ ...
+};</screen>
<para>
- <command>localnets</command> — Matches any IP address on any network to which the local system is connected
+ The <replaceable>acl-name</replaceable> statement name is the name of the access control list, and the <replaceable>match-element</replaceable> option is usually an individual IP address (such as <literal>10.0.1.1</literal>) or a CIDR network notation (for example, <literal>10.0.1.0/24</literal>). For a list of already defined keywords, see <xref linkend="table-bind-namedconf-common-acl" />.
</para>
- </listitem>
- <listitem>
+ <table id="table-bind-namedconf-common-acl">
+ <title>Predefined access control lists</title>
+ <tgroup cols="2">
+ <colspec colname="keyword" colnum="1" colwidth="20*" />
+ <colspec colname="description" colnum="2" colwidth="60*" />
+ <thead>
+ <row>
+ <entry>
+ Keyword
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <option>any</option>
+ </entry>
+ <entry>
+ Matches every IP address.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <option>localhost</option>
+ </entry>
+ <entry>
+ Matches any IP address that is in use by the local system.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <option>localnets</option>
+ </entry>
+ <entry>
+ Matches any IP address on any network to which the local system is connected.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <option>none</option>
+ </entry>
+ <entry>
+ Does not match any IP address.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<para>
- <command>none</command> — Matches no IP addresses
+ The <command>acl</command> statement can be especially useful with conjunction with other statements such as <command>options</command>. <xref linkend="example-bind-namedconf-common-acl" /> defines two access control lists, <literal>black-hats</literal> and <literal>red-hats</literal>, and adds <literal>black-hats</literal> on the blacklist while granting <literal>red-hats</literal> a normal access.
</para>
- </listitem>
- </itemizedlist>
- <para>
- When used in conjunction with other statements (such as the <command>options</command> statement), <command>acl</command> statements can be very useful in preventing the misuse of a BIND nameserver.
- </para>
- <para>
- The following example defines two access control lists and uses an <command>options</command> statement to define how they are treated by the nameserver:
- </para>
- <screen> acl black-hats {
- 10.0.2.0/24; 192.168.0.0/24; 1234:5678::9abc/24;};
- acl red-hats { 10.0.1.0/24; };
+ <example id="example-bind-namedconf-common-acl">
+ <title>Using <command>acl</command> in conjunction with <command>options</command></title>
+ <screen>acl black-hats {
+ 10.0.2.0/24;
+ 192.168.0.0/24;
+ 1234:5678::9abc/24;
+};
+acl red-hats {
+ 10.0.1.0/24;
+};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-query-cache { red-hats; };
-}</screen>
- <para>
- This example contains two access control lists, <command>black-hats</command> and <command>red-hats</command>. Hosts in the <command>black-hats</command> list are on the blacklist, while hosts in the <command>red-hats</command> list are given normal access.
- </para>
- <important>
- <title>Important</title>
- <para>
- It is recommended to restrict recursive DNS services for only a particular subset of clients via allow-query-cache option. Otherwise nameserver will be easy target for DDoS attack.
- </para>
- </important>
- </section>
+};</screen>
+ </example>
+ <!-- TODO: Move this admonition to the "options" statement description.
+ <important>
+ <title>Important</title>
+ <para>
+ It is recommended to restrict recursive DNS services for only a particular subset of clients via allow-query-cache option. Otherwise nameserver will be easy target for DDoS attack.
+ </para>
+ </important>
+ -->
+ </listitem>
+ </varlistentry>
+ </variablelist>
<section id="s3-bind-namedconf-state-inc">
<title><command>include</command> Statement</title>
<para>
More information about the docs-commits
mailing list