RBrooks@MIT-MULTICS.ARPA.UUCP (06/08/87)
In answer to the question why access would not be allowed from nodes trying to access your VAX when you have designated two ACLs (one ALL_IN allowing incoming access, and another ALL-OUT allowing outgoing access) and then given the identifiers to users allowed to use the network I have the following suggestion: You need to give the identifier ALL_IN to the DTEs on the network which need to access your system. If this is a finite number then put in you PSI_SECURIY.COM the following commands: GRANT /ID ALL_IN 1234567/DTE/net=DATEXP (note that in the user documentation the West German network is usually refered to as DATEX_P but the commands work only with DATEXP) SET DTE 1234567/net=DATEXP/ACL=(IDENT=ALL_IN,ACCESS=INCOMING) will allow incoming access for the node with NUI 1234567. I suspect that using a * instead of 1234567 will allow incoming access from all nodes attached to the PSI network. The logic behind this being that unidentified nodes should not be able to get to the USERNAME: prompt to log in. I have an example command string which does function for our configuration. If you desire I could change the NUIs and post it with a description od what it does. Where I am still very confused is with defining access to DECNET objects. This should allow me to define nodes where only MAIL access will be allowed. I tried to follow the documentation but was plagued with error messages and eventually gave up in total frustration (besides which I did not really need this feature. After all if I know the NUI and the user there has a USERNAME and password with DIALUP access on my machine why shouldn't he be able to log in?) In any case if anyone knows how that works I am quite curious. RBrooks -at MIT-MULTICS.ARPA