View Single Post
Old 09-02-2011, 01:41 AM  
Yil
Too much time...
 
Join Date: May 2005
Posts: 1,194
Default

Does anybody actually use the etc/Hosts.Rules file? If so do you simply use it mostly as is and just add a few deny rules to ban particular hosts? Does anybody define user classes and use the per-ip connection limits? Is there any situation where the userfile per-IP limits wouldn't work just as well or even better?

I'm looking into making this file a .ini style file instead of a custom format and ditching some of the stuff I don't think anyone needs.

A long time ago this file served a purpose. I used it on a personal FTP to lock down the logins to just a few IP addresses I used, but I've since added the Reject_Unknown_Ips option which if enabled is more flexible and for the moment the only way to get dynamic IP addresses added. I even had the KNOCK protocol so I could get in from unknown IPs if I needed to. Today I just don't see any reason why the server would need ALLOW rules except as a way to get around overly broad DENY rules blocking large ranges of hosts.

If want to make this so you can modify it at runtime but have the server permanently remember entries if desired, but I get into a problem if the order of entries matters like it does today. I'm thinking there isn't really a need for anything except a way to ban hosts and perhaps allow a few specific ones and thus I could process the allow list and if a match it's allowed, else walk the deny lists and if found it's denied, else it's allowed. Of course "allowed" is relative, it STILL has to match the host/IP portion of at least one user's hostmask if the Reject_Unknown_Ips option is enabled (or have KNOCK'd).

A separate FXP allow/deny ruleset would work the same way.

Before I make the change I just wanted to see if anyone is actually doing anything tricky that couldn't be done another way...

In short, the "policy" would always be ALLOW as the option would be removed, all user definable classes and thus per-class login limits would be removed (with no alternative way to get this functionality), and per-login limits defined by IP/host would be removed though you can use the per-user per-IP limit to get the same thing for most cases. Allow/Deny rules would be order-independent and thus not as expressive, but dynamically updateable.
Yil is offline   Reply With Quote