David C. Rankin wrote:
David C. Rankin wrote:
My only question is why couldn't I make:
sshd : ALL EXCEPT LOCAL my.remote.ip : ALLOW
work instead of the two entries I ended up making?
The " ALL EXCEPT LOCAL my.remote.ip " string takes a bit of deciphering to understand why it didn't work. Breaking it down, the answer can be found: The examples in /etc/hosts.allow show: ALL EXCEPT LOCAL Which is really like a double-negative within a double-negative. The man page states: EXCEPT Intended use is of the form: `list_1 EXCEPT list_2´; this construct matches anything that matches list_1 unless it matches list_2. So at first look, it would seem that: sshd : ALL EXCEPT LOCAL : ALLOW Would, for ssh, match 'ALL' EXCEPT 'LOCAL' allowing 'ALL' access to ssh except local addresses. (clearly not what the example was trying to do) But: LOCAL Matches any host whose name does not contain a dot character. So what it is doing is saying match all IP addresses in the world but not any that do *not* contain a dot, then allow. Well, the only addresses, out of all the IP addresses in the world, that do not 'not contain a dot' are local IP addresses --> so allow them. GOD THIS IS TERRIBLE A TERRIBLE CHOICE OF WORDS FOR AN EXAMPLE. So sshd : ALL EXCEPT my.ip.address : ALLOW does just what it says it will do. It will allow ALL to connect but *block* my.ip.address from being able to connect. After two aspirin, I guess it would make more logical sense if the example actually said: sshd : ALL EXCEPT NOTLOCAL : ALLOW Two more aspirin needed.... -- David C. Rankin, J.D.,P.E. | openSoftware und SystemEntwicklung Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 www.rankinlawfirm.com | http://counter.opensuse.org/11.1/small -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org