A listening Ncat may control which hosts connect to it with the --allow and --deny options. Each of these takes a comma-separated list of host specifications. The syntax is almost identical to that recognized by Nmap for targets (see the section called “Target Specification”). This includes IPv4 and IPv6 addresses, hostnames, IPv4 octet ranges, and CIDR netmasks. In Ncat (unlike Nmap), CIDR netmasks are supported for IPv6 addresses.

With --allow, any hosts matching one of the listed specifiers are allowed and all others are denied. With --deny, those hosts matching the list are denied and all others are accepted. If a host matches both the --allow and --deny lists, it is denied.

Use --allowfile and --denyfile to allow or deny a list of host/network specifiers stored in a file. Each line of the file contains a specification in one of the forms listed above. Any file acceptable to Nmap's -iL and --excludefile options is suitable for --allowfile and --denyfile.

The following example commands demonstrate various kinds of access control.

Be aware that host-based access control is susceptible to spoofing attacks and various other possible failures. These mechanisms should not be relied on for complete security.

Another kind of access control is simply limiting the maximum number of connections a listening Ncat will accept. Use the --max-conns option or its -m alias to do that. The default maximum number of connections is 100, or 60 on Windows.