User based TCP port access control with discretionary access control for internet ports

Edit online

Discretionary Access Control for Internet Ports (DACinet) features user-based access control for TCP ports for communication between AIX® hosts.

AIX can use an additional TCP header to transport user and group information between systems. The DACinet feature allows the administrator on the destination system to control access based on the destination port, the originating user id and host.

In addition, the DACinet feature allows the administrator to restrict local ports for root only usage. UNIX systems like AIX treat ports below 1024 as privileged ports which can only be opened by root. AIX allows you to specify additional ports above 1024 which can be opened only by root, therefore preventing users from running servers on well known ports.

Depending on the settings a non-DACinet system may or may not be able to connect to a DACinet system. Access is denied in the initial state of the DACinet feature. Once DACinet has been enabled, there is no way to disable DACinet.

The dacinet command accepts addresses which are specified as hostnames, dotted decimal host addresses, or network addresses followed by the length of the network prefix.

The following example specifies a single host which is known by the fully qualified host name host.domain.org:

	host.domain.org

The following example specifies a single host which is known by the IP address 10.0.0.1:

	10.0.0.1

The following example specifies the entire network which has the first 24 bits (the length of the network prefix) with a value of 10.0.0.0:

	10.0.0.0/24

This network includes all IP addresses between 10.0.0.1 and 10.0.0.254.