Limiting Access to Your GN Hierarchy

   There is a separate Security Guide which you should read after you
   have read this section. If you opt to limit access to your gopher
   there are two ways to do this. For the first you use the "-a" option
   to _gn_ (in the inetd.conf file). This will limit access to the server
   to those clients with an IP address or subnet address listed (and not
   excluded) in the file .access in the root data directory. The format
   of the .access file is one address per line, each line consisting of
   an IP address like 129.111.222.123 or a subnet address like
   129.111.222 or 129.111. In case a subnet address is listed, any client
   with an IP address beginning with that subnet address will be allowed
   access.
   
   You may also list the domain names of the machines using wildcards
   provided the machines all have proper PTR domain name records. To
   allow access to all machines under nwu.edu, use the line *.nwu.edu.
   Note that this will not allow access to a machine called nwu.edu if it
   exists. One would need to add in the record nwu.edu to allow access.
   
   You can also exclude IP addresses or domain names by prefixing them
   with an '!', so if .access contained only the lines
   

     !speedy.acns.nwu.edu
     *

   
   
   Access would be permitted to every machine _except_ speedy. Likewise

     !129.111
     *

   
   
   would allow access to everyone except those on subnet 129.111. It is
   important to note that in determining access _gn_ reads the .access
   file only until it finds a match (with or without '!') and then quits.
   So if .access consisted of the two lines
   

     *
     !129.111

   
   
   then access would be granted to everyone since the * comes first and
   it matches everyone.
   
   The "-A" option is similar to the -a option except access is allowed
   on a per directory basis. Each client request is processed by first
   looking for a .access file in the directory containing the requested
   item and comparing the IP address of the client with the addresses in
   this file. If no .access file exists in this directory, one is sought
   in the parent directory and then if necessary the parent of the
   parent, etc. up to the root data directory. If no .access file is
   found by this process access is allowed to all clients provided the
   item requested exists in a .cache file.
   
   It is possible with _gn_ to attain even finer access discrimination
   than on a per directory basis, though it is somewhat cumbersome to do
   so. Nevertheless if you have a need to make certain menu items visible
   (and accessible) to a select group of hosts, this is possible. Details
   on how to do it are in the last section of the document
   /docs/technical.notes.
   
.