30
30
ACL mybox 192.168.50.1/32
32
32
ACLs are used whenever you need to refer to a network or host, such as
33
in ACCESS definitions (below) and with "allowfrom" in \fBupsd.users\fR(5).
35
.IP "ACCESS \fIaction\fR \fIlevel\fR \fIaclname\fR
37
Define the access to commands at level \fIlevel\fR by clients in the
38
network defined by ACL \fIaclname\fR.
40
The \fIaction\fR can be one of three values:
42
grant - allow the clients to perform commands at this level.
44
deny - deny the clients access to commands at this level.
46
The \fIlevel\fR relates to the complexity of the command. More
47
important functions like editing variables inside the UPS require more
48
privileges than merely checking the status. Each level includes the
49
powers of the one before it. Here are the valid levels:
51
base - Allows TCP connections and very simple queries. You
52
will probably never need to use this level. One possible use would be a
53
program that connects to a port to verify that a service is running.
55
monitor - This adds the ability to request information like the
56
current value of different variables. This is the level you should use
59
all - match any level. This really only should be used for
60
"deny all all" or similar. Granting "all" access to any host is not
63
The \fIaclname\fR is just one of your ACL definitions, as explained
33
in ACCEPT/REJECT definitions (below) and with "allowfrom" in
36
.IP "ACCEPT \fIaclname\fR [\fIaclname\fR...]
38
ACCEPT let clients on the hosts or networks defined by \fIaclname\fR
39
connect to upsd. You may specify multiple ACL names on the ACCEPT line,
40
and you may have multiple ACCEPT lines.
42
ACCEPT localhost mybox
46
.IP "REJECT \fIaclname\fR [\fIaclname\fR...]
48
Like ACCEPT, but it denies access instead. upsd will close the
49
connection without reading any data from the network.
51
Note: you should still use firewall rules if your system provides them.
52
That provides another level of coverage.
66
58
.SH ACCESS CONTROL EXAMPLES
68
60
Here is an example configuration to show some of what is possible.
70
- "bigserver" has a UPS attached to a serial port. It runs the
71
driver, upsd, and upsmon in master mode. This definition is
72
also referenced with an "allowfrom" in \fBupsd.users\fR(8).
62
"bigserver" has a UPS attached to a serial port. It runs the driver,
63
upsd, and upsmon in master mode. This definition is also referenced
64
with an "allowfrom" in \fBupsd.users\fR(8).
74
- "workstation" draws from the same UPS as "bigserver", but has
66
"workstation" draws from the same UPS as "bigserver", but has to monitor
76
67
it over the network. It runs upsmon in slave mode. It is also
77
68
referenced with an "allowfrom" in \fBupsd.users\fR(8).
79
- "webserver" doesn't get power from this UPS at all, but it
80
runs the CGI programs so it can make nice status displays.
82
- an abuser is explicitly denied
84
- everyone not yet covered is denied nicely
70
"webserver" doesn't get power from this UPS at all, but it runs the CGI
71
programs so it can make nice status displays.
73
An abuser's host is explicitly denied.
75
Everything else is rejected.
91
82
ACL abuser 192.168.255.128/32
94
ACCESS grant monitor bigserver
95
ACCESS grant monitor workstation
96
ACCESS grant monitor webserver
97
ACCESS deny all abuser
85
ACCEPT bigserver workstation webserver
102
91
.SH ACCESS CONTROL MATCHING
104
Access controls should go from most specific to least specific. The
105
first match with a sufficient access level is the one used when applying
108
Along the same lines, everyone is a member of "all", but we want to
109
match everything else first so they don't hit the deny at the bottom.
111
If you don't have a final "all" match at the bottom, it will force one
112
for you as a deny. This means that you have to explicitly add an allow
113
in order to allow the whole world to have access.
115
Just think of it as a big repeating "if-then-else" structure.
93
ACCEPT and REJECT directives are checked in the order they occur in this
94
file. The first ACL which matches a client causes the action to be
95
taken. If you need to ACCEPT one host and REJECT the rest of a network,
96
first list the host, then list the network on a line below it.
102
Any IP address which does not match one of your directives will default
103
to REJECT. This is intended to keep your system safe if you forget to
104
put "REJECT all" at the bottom.
106
If you really want the whole world to have access to upsd, you can do
107
"ACCEPT all", but that is not recommended.
117
109
.SH OTHER CONFIGURATION DIRECTIVES
added
removed
man/upsd.conf.5
