.TH NETACL 8 "August 2007" "OpenFWTK"
.SH NAME
netacl \- TCP network access control daemon
.SH SYNOPSIS
.BI "netacl [-daemon " "port" "] [-fastdaemon " "port" "] " service 
.SH DESCRIPTION
.IX  "netacl"  ""  "\(em TCP network access control daemon"
The Firewall Toolkit network access control daemon is a TCP wrapper program
that provides configurable access control and logging mechanisms.
The network access control daemon, which runs on the firewall,
starts different applications based on the source address of the
request.
.PP
Using the network access control daemon, you can allow certain
hosts to access a standard UNIX program, such as the TELNET daemon,
while requests from all other hosts access the TELNET proxy.
.PP
The network access control daemon allows you to configure which
hosts have access to which TCP-based services.  Note that it does
not allow you to start UDP-based services.  The access control
daemon logs all successful and unsuccessful connections.
.PP
The firewall runs different instances of the network access control
daemon
.RB "(" netacl ")"
on different ports for different applications, based on the
information in the
.IR "/etc/rc.local" )
file.  The
.I /etc/rc.local
file indicates which services should run on which ports.  For
example, the firewall runs an instance of the network access control
daemon on port 23 to handle TELNET requests.
.PP
When the network access control daemon receives a request on a port
on which it is listening, the daemon checks its configuration
information (in the
.IR "netperm-table" )
and determines whether the initiating host has permission to initiate
this type of request.  The network access control daemon then
verifies that it has permission to run.  If the host does not have
permission or the network access control daemon is not permitted
to run, the firewall displays an error message.
.PP
If the host has permission, the proxy and the network access control
daemon is permitted to run, the network access control daemon then
starts the program specified in the netperm-table.  For example,
the network access control daemon might start the TELNET proxy
.RB "(" tn-gw ")"
for some initiating hosts and the actual TELNET daemon
.RB " (" telnetd ")"
for other initiating hosts.
.SH OPTIONS
.SS Command Line Options
The network access control daemon recognizes the following command
line options (whether started from the command line or from within
.IR /etc/rc.local ):
.TP
.BI "-daemon " port
Indicates that the network access control daemon runs as a daemon,
and the port (name or number) on which the network access control
daemon listens.
.TP
.BI "-fastdaemon " port
Indicates that the network access control daemon runs as a daemon, and the port (name
or number) on which the network access control daemon listens. When
.IR "-fastdaemon"
option is used, configuration is being read from
.IR netperm-table
once the daemon starts or if
.IR SIGHUP
is received.
.TP
.I service
Indicates the name of the service the network access control daemon
runs
.SS Configuration Options
The network access control daemon reads configuration rules from
the
.IR "/usr/local/etc/netperm-table" .
It reads all rules using the
.B netacl
(or the name specified with the -as option) and
.B *
(wildcard) keywords.  
The network access control daemon reads the
.I netperm-table
from top to bottom.  If there are multiple rules in the table that
could apply for a particular attribute, the network access control
daemon uses the first one that it finds.  See
.BR "netperm-table"  (5)
for a more complete explanation of
.I netperm-table
syntax and precedence.
.PP
The network access control daemon recognizes the following attributes:
.TP
.BI "groupid " group
Specifies the name of the group the network access control daemon
uses when running.
.RS
.TP
.I group
Specifies either a name or numeric id from the
.I /etc/group
file.
.RE
.TP
.BI "hosts " [options]
pecifies a host permission rule. Host permission rules are
in the form of:
.sp
.na
netacl-in.telnet permit-hosts host1 host2 -options
netacl-in.telnet deny-hosts host1 host2 -options
.ad
.sp
Following the
.B permit-hosts
or
.B deny-hosts
clause is a list of host names or IP-addresses, which can
contain wildcards. Host names are searched in order
until the first option (starting with a '-') is encountered,
at which point, if there is a match for that rule, it will
be accepted. If the rule is a deny-hosts rule, the program
will log the denial of service and exit. If it is a
permit-hosts rule, the options will be processed and
executed in order.
If there is no rule explicitly permitting or deny a service,
the service is denied. Options are:
.IP
.B \-exec executable [args]
specifies a program to invoke to handle the service. This
option
.B must
be the final option in the rule. A -exec
option
.B must
be present in every rule.
.IP
.B \-user userid
where userid is the numeric UID or the name from a login in
.B /etc/passwd 
which the program should be invoked as.
.IP
.B \-chroot rootdir
specifies a directory to which
.B netacl
should chroot(2) prior to invoking the service program. This
requires that the service program be present, and the pathname
for the executable be relative to the new root.
.IP
.B \-klaxon
enables "burglar alarm" mode. Any connection matching this rule
will cause "securityalert" log record.
.RE
.TP
.BI "timeout " seconds
Specifies the number of seconds the network access control daemon
is idle (with no network activity) before disconnecting
.RE
.SH EXAMPLES
This example shows the configuration lines in the netperm-table
that start the TELNET daemon for connections from localhost and
the TELNET proxy for all other connections:
.sp 1
.nf
.na
.sp 1
#starts telnet for connections from localhost
netacl-telnetd: permit-hosts 127.0.0.1 -exec /usr/libexec/telnetd
.sp 1
#starts the telnet proxy for all other connections
netacl-telnetd: exec /usr/local/etc/tn-gw
.fa
.fi
.LP
.sp 
.na
Another example, using netacl to verify permission for using a
service:
.sp 1
.nf
.na
netacl-telnetd: permit-hosts 1.2.3.* -exec /usr/libexec/telnetd
netacl-ftpd: permit-hosts unknown -exec /bin/cat /etc/noftp.txt
netacl-ftpd: permit-hosts 1.2.3.* -exec /usr/etc/in.ftpd
netacl-ftpd: permit-hosts * -chroot /home/ftp -exec /bin/ftpd -f
.fa
.fi
.LP
In the example above,
.B netacl
is configured to permit telnet only for hosts in a particular
subnet.
.B ftpd
is configured to accept all connections from systems that do
not have a valid DNS name ("unknown") and to invoke
.B cat
to display a file when a connection is made. This provides an
easy and flexible means of politely informing someone that they
are not permitted to use a service. Hosts in the specified
subnet are connected to the real FTP server in
.B /usr/etc/in.ftpd
but all connections from other networks are connected to a
version of the FTP server that is already chrooted to the
FTP area, effectively making all FTP activity "captive".
.SH FILES
.IP /etc/rc.local
Command script that controls automatic reboot, and includes startup
information for the network access control daemon.
.IP /usr/local/etc/netperm-table
The network permissions file contains configuration information
for the Firewall Toolkit, including the network access
control daemon.
.SH BUGS
Report bugs to arkenoi@gmail.com or fwtk-users@buoy.com mailing list.  Include a complete
example, explaining what you expected to happen and what actually
happened.  Be sure to indicate the type of system (operating system,
hardware, etc.) you are using, as well as the version of the netacl
proxy.
.SH AUTHOR
ArkanoiD.
.SH SEE ALSO
.BR netperm-table "(5), " rc "(8)"