<!-- $Id: mod_wrap2_file.html,v 1.2 2008/12/17 00:24:47 castaglia Exp $ -->
<!-- $Source: /cvsroot/proftp/proftpd/doc/contrib/mod_wrap2_file.html,v $ -->
<html>
<head>
<title>ProFTPD module mod_wrap2_file</title>
</head>
<body bgcolor=white>
<hr><br>
<center>
<h2><b>ProFTPD module <code>mod_wrap2_file</code></b></h2>
</center>
<hr><br>
This <code>mod_wrap2</code> submodule is contained in the
<code>mod_wrap2_file.c</code>, and is not compiled by default. See the
<code>mod_wrap2</code> <a href="mod_wrap2.html#Installation">installation</a>
instructions.
<p>
This submodule provides the file-specific "driver" for storing
IP/DNS-based access control information in files.
<p>
Many programs will automatically add entries in the common
<code>hosts.allow</code>/<code>hosts.deny</code> files, and use of this module
will allow a <code>proftpd</code> daemon running in <code>standalone</code>
mode to adapt as these entries are added. The <code>portsentry</code> program
does this, for example: when illegal access is attempted, it will add hosts to
the <code>/etc/hosts.deny</code> file.
<h2>Author</h2>
<p>
Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any
questions, concerns, or suggestions regarding this module.
<p>
<hr><h2><a name="FileTables">File Access Tables</a></h2>
Using file-based access tables (<em>source-type</em> of "file") the
data will be stored in the familiar <code>hosts.allow</code>,
<code>hosts.deny</code> file format.
<p>
The <code>mod_wrap2_file</code> module supports the "file" string
for the <em>source-type</em> parameter of the
<a href="mod_wrap2.html#WrapUserTables"><code>WrapUserTables</code></a>,
<a href="mod_wrap2.html#WrapGroupTables"><code>WrapGroupTables</code></a>,
and
<a href="mod_wrap2.html#WrapTables"><code>WrapTables</code></a>,
configuration directives. If the "file" <em>source-type</em>
is used, then the <em>source-info</em> parameter must be the full path to
the file table.
<p>
Both file names are required. Also, the paths to both files must be the full
path, with two exceptions: if the path starts with <code>~/</code>, the check
of that path will be delayed until a user requests a connection, at which time
the path will be resolved to that user's home directory; or if the path starts
with <code>~user/</code>, where user is some system user. In this latter case,
<code>mod2_wrap</code> will attempt to resolve and verify the given user's home
directory on start-up.
<p>
The format for the files used by <code>mod_wrap2_file</code> is described
in the <code>host_access(5)</code> man page.
<p>
Examples:
<pre>
# Server-wide access files
WrapTables file:/etc/hosts.allow file:/etc/hosts.deny
# FTP server-specific access files
WrapTables file:/etc/ftpd.allow file:/etc/ftpd.deny
# Per-user access files, which are to be found in the user's home directory
WrapUserTables file:~/my.allow file:~/my.deny
</pre>
<p>
<hr><h2><a name="FileExamples">Example File Tables</a></h2>
The following examples are taken from the <code>hosts_access(5)</code> man page:
<p>
<b>Mostly Closed</b><br>
In this case, access is denied by default. Only explicitly authorized hosts
are permitted access.
<p>
The default policy (no access) is implemented with a trivial deny file:
<pre>
/etc/hosts.deny:
ALL: ALL
</pre>
This denies all service to all hosts, unless they are permitted access by
entries in the allow file.
<p>
The explicitly authorized hosts are listed in the allow file. For example:
<pre>
/etc/hosts.allow:
ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
</pre>
The first rule permits access from hosts in the local domain (no `.' in the
host name) and from members of the <em>some_netgroup</em> netgroup. The
second rule permits access from all hosts in the <em>.foobar.edu</em> domain
(notice the leading dot), with the exception of
<em>terminalserver.foobar.edu</em>.
<p>
<b>Mostly Open</b><br>
Here, access is granted by default; only explicitly specified hosts are
refused service.
<p>
The default policy (access granted) makes the allow file redundant so that it
can be omitted. The explicitly non-authorized hosts are listed in the deny
file. For example:
<pre>
/etc/hosts.deny:
ALL: some.host.name, .some.domain
ALL EXCEPT in.fingerd: other.host.name, .other.domain
</pre>
The first rule denies some hosts and domains all services; the second rule
still permits finger requests from other hosts and domains.
</pre>
<p>
<hr><br>
Author: <i>$Author: castaglia $</i><br>
Last Updated: <i>$Date: 2008/12/17 00:24:47 $</i><br>
<br><hr>
<font size=2><b><i>
© Copyright 2000-2008 TJ Saunders<br>
All Rights Reserved<br>
</i></b></font>
<hr><br>
</body>
</html>
