Red Hat Enterprise Linux 5 Administration Unleashed

386CHAPTER 19Explaining Other Common Network ServicesThe no_access and only_from attributes can be used together to accept or deny connectionsfrom specific hosts. Hosts in the no_access list are not granted connectivity toxinetd services by default. Hosts in the only_from list are granted access to xinetd servicesby default.Remember these attributes can be redefined in the individual service files to grant or denyhosts access to specific xinetd services. The no_access and the only_from attributes arecommented out by default because setting only_from to a blank value denies all hosts.Both accept a list of hosts in the following formats:. IPv4 or IPv6 individual IP address, such as 192.168.10.4.. IPv4 address range denoted by using 0 as a wildcard in the right-most numbers ofthe IP address, such as 192.168.10.0 to match 192.168.10.1 through 192.168.10.254.0.0.0.0 matches all IP addresses.. Factorized IPv4 address, such as the form X.X.X.{X,X,X,...}, where the last numberin the IP address is factorized. If all four integers in the IP are not specified, theremaining integers are assumed to be 0, which is interpreted as a wildcard. Forexample, 192.168.10.{1,5,6} represents the 192.168.10.1, 192.168.10.5, and192.168.10.6 addresses.. Network name from /etc/networks. Only works for IPv4 addresses.. Specific hostname such as server.example.com.. Domain such as example.com. All hosts with this domain such asserver.example.com match.. IP address/netmask range such as 192.168.10.0/32 for IPv4 and 1234::/46 for IPv6.If an IP address or hostname matches both lists, the more specific match takes precedence.For example, assume that the no_access attribute includes 192.168.10.0 and theonly_from attribute includes 192.168.10.4. If the host 192.168.10.4 tries to connect to anxinetd service, it is granted access because it matches both lists but the specific IP addressis in the only_from list.The other attributes for access control are as follows:. max_load: Commented out by default. If set to a floating point value that representsthe one minute load average, the service stops accepting connections when thisload is reached.. cps: Set the rate of the incoming connections. Two integer values must be specified.The first integer is the number of connections per second to allow. If the rate ofincoming connections exceeds this number, the service is temporarily disabled. Thesecond number is the number of seconds to wait before re-enabling the service.. instances: Maximum number of xinetd connections allowed to be active. If set toUNLIMITED, there is no limit.