A listening Ncat may control which hosts connect to it with the
options. Each of these takes a comma-separated list of host
specifications. The syntax is almost identical to that recognized by Nmap for
(see the section called “Target Specification”).
This includes IPv4 and IPv6 addresses, hostnames, IPv4 octet ranges,
and CIDR netmasks. In Ncat (unlike Nmap), CIDR netmasks are supported for IPv6
--allow, any hosts matching one of the listed specifiers
are allowed and all others are denied. With
those hosts matching the list are denied and all others are accepted.
If a host matches both the
--deny lists, it is denied.
to allow or deny a list of host/network specifiers stored in a file. Each line of the
file contains a specification in one of the forms listed above. Any
file acceptable to Nmap's
options is suitable for
The following example commands demonstrate various kinds of access control.
- Allow one host, deny all others
ncat -l --allow 192.168.0.125
ncat -l --allow 2001:db8::7d
ncat -l --allow trusted.example.com
- Deny one host, allow all others
ncat -l --deny 192.168.0.200
ncat -l --deny 2001:db8::c8
- Allow hosts on a local network, deny all others
ncat -l --allow 192.168.0.0/24
ncat -l --allow 192.168.0.0-255
ncat -l --allow 2001:db8::/32
- Allow or deny hosts from a file
ncat -l --allowfile trusted-hosts.txt
ncat -l --denyfile external-hosts.txt
Be aware that host-based access control is susceptible to spoofing attacks and various other possible failures. These mechanisms should not be relied on for complete security.
Another kind of access control is simply limiting the maximum number
of connections a listening Ncat will accept. Use the
option or its
alias to do that. The default maximum number of connections is 100, or 60 on Windows.