A string that begins with a .' character. A host name is matched if the last components of its name match the specified pattern. For example, the pattern .tue.nl' matches the host name wzv.win.tue.nl'.
A string that ends with a .' character. A host address is matched if its first numeric fields match the given string. For example, the pattern 131.155.' matches the address of (almost) every host on the Eind hoven University network (131.155.x.x).
A string that begins with an @' character is treated as an NIS (formerly YP) netgroup name. A host name is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names.
An expression of the form n.n.n.n/m.m.m.m' is interpreted as a net/mask' pair. A host address is matched if net' is equal to the bitwise AND of the address and the mask'. For example, the net/mask pattern 126.96.36.199/255.255.254.0' matches every address in the range 188.8.131.52' through 184.108.40.206'.
An expression of the form [n:n:n:n:n:n:n:n]/m' is interpreted as a [net]/prefixlen' pair. A IPv6 host address is matched if prefixlen' bits of net' is equal to the prefixlen' bits of the address. For example, the [net]/prefixlen pattern [3ffe:505:2:1::]/64' matches every address in the range 3ffe:505:2:1::' through 3ffe:505:2:1:ffff:ffff:ffff:ffff'.
A string that begins with a /' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used.
Matches any host whose name does not contain a dot character.
Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.
Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.
Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests.
Intended use is of the form: list_1 EXCEPT list_2'; this construct matches anything that matches list_1 unless it matches list_2. The EXCEPT operator can be used in daemon_lists and in client_lists. The EXCEPT operator can be nested: if the control language would permit the use of parentheses, a EXCEPT b EXCEPT c' would parse as (a EXCEPT (b EXCEPT c))'.
The client username information cannot be trusted when it is needed most, i.e. when the client system has been compromised. In general, ALL and (UN)KNOWN are the only user name patterns that make sense.
Username lookups are possible only with TCP-based services, and only when the client host runs a suitable daemon; in all other cases the result is "unknown".
A well-known UNIX kernel bug may cause loss of service when username lookups are blocked by a firewall. The wrapper README document describes a procedure to find out if your kernel has this bug.
Username lookups may cause noticeable delays for non-UNIX users. The default timeout for username lookups is 10 seconds: too short to cope with slow networks, but long enough to irritate PC users.
Selective username lookups can alleviate the last problem. For example, a rule like:
daemon_list : @pcnetgroup ALL@ALL
would match members of the pc netgroup without doing username lookups, but would perform username lookups with all other systems.