1 # ===================================================================== 2 # acl.rc: access control lists for TW rc(1) programs. 3 # 4 # Copyright (c) 2005,2007 Carlo Strozzi 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; version 2 dated June, 1991. 9 # 10 # This program is distributed in the hope that it will be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 18 # 19 # ===================================================================== 20 21 # WARNING: access control based on REMOTE_ADDR can be bypassed when 22 # inside a stunnel(8) SSL channel, unless special care is taken. To try 23 # and work-out the remote client address I use a session cookie, which 24 # can be forged by the client, of course. To make this more bullet-proof 25 # I need to: 26 # 27 # 1) Trust the actual client address only if coming-in over a non-SSL 28 # channel. 29 # 30 # 2) Store the trusted address in the current session. 31 # 32 # 3) Given rules (1) and (2), the only other thing that a client can do 33 # is to clear the session cookie, so I need unconditionally to deny 34 # access to clients providing an empty REMOTE_ADDR value. 35 36 ~ $REMOTE_ADDR () && csaExit.http 403 37 38 switch ($CSA_PGM($#CSA_PGM)) { 39 40 # case *; 41 # # Allow everyone. 42 # ~ $REMOTE_ADDR \ 43 # [0-2]* \ 44 # 80.183.147.242 \ 45 # 192.168.1.* || csaExit.http 403 46 47 case () 48 csaExit.http 403 49 50 case *; 51 #csaExit.http 403 52 } 53 54 # EOF