"hosts allow"

The "hosts allow" option allows you to specify a list of patterns that are matched against a connecting clients hostname and IP address. If none of the patterns match then the connection is rejected.

Each pattern can be in one of five forms:

- a dotted decimal IPv4 address of the form a.b.c.d, or an IPv6 address of the form a:b:c::d:e:f. In this case the incoming machine's IP address must match exactly.

- an address/mask in the form ipaddr/n where ipaddr is the IP address and n is the number of one bits in the netmask. All IP addresses which match the masked IP address will be allowed in.

- an address/mask in the form ipaddr/maskaddr where ipaddr is the IP address and maskaddr is the netmask in dotted decimal notation for IPv4, or similar for IPv6, e.g. ffff:ffff:ffff:ffff:: instead of /64. All IP addresses which match the masked IP address will be allowed in.

- a hostname. The hostname as determined by a reverse lookup will be matched (case insensitive) against the pattern. Only an exact match is allowed in.

- a hostname pattern using wildcards. These are matched using the same rules as normal unix filename matching. If the pattern matches then the client is allowed in.

Note IPv6 link-local addresses can have a scope in the address specification:

fe80::1%link1

fe80::%link1/64

fe80::%link1/ffff:ffff:ffff:ffff::

You can also combine "hosts allow" with a separate "hosts deny" option. If both options are specified then the "hosts allow" options checked first and a match results in the client being able to connect. The "hosts deny" option is then checked and a match means that the host is rejected. If the host does not match either the "hosts allow" or the "hosts deny" patterns then it is allowed to connect.

The default is no "hosts allow" option, which means all hosts can connect.

"hosts deny"

The "hosts deny" option allows you to specify a list of patterns that are matched against a connecting clients hostname and IP address. If the pattern matches then the connection is rejected. See the "hosts allow" option for more information.

The default is no "hosts deny" option, which means all hosts can connect.

The second bit of emphasis would seem to say that you MUST specify the "good" IP in "hosts allow" ONLY, and do NOT use "hosts deny" at all, otherwise non-matching IPs/hosts will be allowed to make the connection.

My question is this. My server has the IP addresses 1.2.3.4, 1.2.3.5, 1.2.3.6, and 1.2.3.7. How can I make it so rsync only listens on 1.2.3.7, similar to the Apache listen config?

That's it. Do not activate the "hosts deny" option in rsyncd.conf.

I understand hosts allow. The computer sitting on my desk has to match the ip to be allowed to connect. It has to match the client address.

The question is about the server. Is there something similar to the apache directive listen? The server has 4 ip addresses. I only want it to allow incoming rsync connections on one of it's address, regardless of the client ip address.

- Ryan

Please post your results, Ryan. I'm very curious.

There is also a --port=X directive that may be useful later, just haven't played with it.

I guess the lesson is that I need to read documentation more carefully :-)

- Ryan