diff options
| author | Sam Varshavchik | 2017-03-11 10:51:01 -0500 |
|---|---|---|
| committer | Sam Varshavchik | 2017-03-11 10:51:01 -0500 |
| commit | 078f9a0eadbf2996f7b90e54f931b2cc5155c4d9 (patch) | |
| tree | 99b8397a906671b558fed20d8c02f13320a37daa /tcpd/couriertcpd.sgml | |
| parent | 2fbe4c6aa77fd64b3d6598e6158e10076159b0c1 (diff) | |
| download | courier-libs-078f9a0eadbf2996f7b90e54f931b2cc5155c4d9.tar.bz2 | |
Update documentation, default BLOCK message.
Diffstat (limited to 'tcpd/couriertcpd.sgml')
| -rw-r--r-- | tcpd/couriertcpd.sgml | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/tcpd/couriertcpd.sgml b/tcpd/couriertcpd.sgml index d6c0fac..1d10157 100644 --- a/tcpd/couriertcpd.sgml +++ b/tcpd/couriertcpd.sgml @@ -648,12 +648,6 @@ file, the entry for the most specific IP address.</para> </para> <para> - There is no provision to support IPv6-based lists, because none yet - exist. IPv6-based access list support will be added in the - future. - </para> - - <para> <command>couriertcpd</command>'s default configuration does not automatically reject connections from banned IP address unless the <option>-drop</option> option is present. @@ -683,16 +677,22 @@ file, the entry for the most specific IP address.</para> <command>couriertcpd</command> makes a DNS query for <quote>d.c.b.a.dnswl.example.com</quote>, then, if necessary, for <quote>d.c.b.a.dnsbl.example.com</quote>, for a connection from the - IP address <replaceable>a.b.c.d</replaceable>. + IPv4 address <replaceable>a.b.c.d</replaceable>. + </para> + + <para> + For IPv6 addresses, the DNS query consists of individual hexadecimal + nybbles (in reverse order, like the IPv4 query). </para> <para> If the DNS query succeeds (more details below), <option>-allow</option> sets the environment variable to an empty string, and <option>-block</option> sets the environment variable - from the <literal>TXT</literal> record in the DNS response, or to - <quote>Access denied.</quote> if the DNS access list did not return - a <literal>TXT</literal> record. It should be possible to use + from the <literal>TXT</literal> record in the DNS response, if one + was requested (see below), or to a default message for regular + DNS queries for <literal>A</literal> records. + It should be possible to use <command>couriertcpd</command> with DNS access lists that use either <literal>A</literal> or <literal>TXT</literal> records. </para> @@ -754,12 +754,20 @@ file, the entry for the most specific IP address.</para> </blockquote> <para> - The last component specifies a custom message that overrides any - <literal>TXT</literal> record in the DNS access list. + The last component specifies a custom message that overrides the + default rejection message. Note that this is a single parameter to <application>couriertcpd</application>, so the parameter must be quoted if it contains any spaces or special shell metacharacters. + A message that's specified as <quote>*</quote> results in a + <literal>TXT</literal> query to the DNS access list instead of the + regular <literal>A</literal> query. This is for DNS access lists + that provide <literal>TXT</literal> records, that gets copied + into the <varname>BLOCK</varname> variable (or the custom + variable). The <quote>*</quote> must also be quoted, since it's + also a shell metacharacter, and it cannot be used together with + an explicit <literal>A</literal> address query, described above. </para> <para> |