Name: rl43681 Date: 10/24/2003


A DESCRIPTION OF THE REQUEST :
I would like to be able to restrict access to some parts of my system while leaving others open. It is far, far easier for me to enumerate what's forbidden than what's allowed.

JUSTIFICATION :
In my case what I want to do is allow people access to any network address that isn't one of a restricted set, including ones in the internet, so it is not possible to enumerate what's allowed.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I am only suggesting a possible syntax to which I'm not wedded at all:

grant {
    restriction SocketPermission "*.restricted.example.com", "*";
    permission SocketPermission "*.example.com", "*";
}

This would forbid access to anything in the "restricted" subdomain, but access to all other systems in the domain.
ACTUAL -
No equivalent behavior exists currently.

(Incident Review ID: 217542)
======================================================================