I originally posted this pivately to Mark Bixby. He suggested that someone on the List may have also experienced this problem and be able to shed more light on it. The problem is related to defining "allow" directives in APACHE's "access.conf" runtime configuration. Here's the problem: It seems that if I define a list of specific host IP addresses - each with its own "allow from", everything works OK. However, if I try to use subnet specifications (either CIDR or a traditional subnet mask), I get a "forbidden access" message from the server. The following is a cut/paste of a "server-info" screen. I explicitly defined my IP address (198.24.20.240) just to get access to do the "server-info" display. The display would appear to indicate that the specifications are at least syntactically correct (i.e., it didn't blow up). Module Name: mod_access.c Content-types affected: none Module Groups: Access Checking Module Configuration Commands: order - 'allow,deny', 'deny,allow', or 'mutual-failure' allow - 'from' followed by hostnames or IP-address wildcards deny - 'from' followed by hostnames or IP-address wildcards Current Configuration: access.conf <Directory /APACHE/PUB/htdocs> order deny,allow deny from all allow from 198.24.20.240 allow from 198.24.20.32/27 allow from 198.24.20.80/28 allow from 198.24.20.160/27 allow from 198.24.20.192/29 allow from 198.24.20.200 allow from 198.24.20.205 allow from 198.24.20.208/29 allow from 198.24.20.223 allow from 198.24.20.224/27 allow from 198.24.21.128/26 </Directory> The following excerpt is from another version of the file /APACHE/PUB/conf/access.conf. Here I tried using the traditional subnet mask. My IP address (198.24.20.240) should be covered by "allow from 198.24.20.224/255.255.255.224" (next to last in the list). I have double checked all the subnets in the list to make sure they fall on legitimate subnet boundaries for their particular sized subnet. I was "forbidden" access with this version of the file and tried a couple of other clients with the same result. # Controls who can get stuff from this server. order deny,allow deny from all allow from 198.24.20.32/255.255.255.224 allow from 198.24.20.80/255.255.255.240 allow from 198.24.20.160/255.255.255.224 allow from 198.24.20.192/255.255.255.248 allow from 198.24.20.200 allow from 198.24.20.205 allow from 198.24.20.208/255.255.255.248 allow from 198.24.20.223 allow from 198.24.20.224/255.255.255.224 allow from 198.24.21.128/255.255.255.192 </Directory> The above directive list translates to approximately 3.5 pages of explicitly defined IP addresses and I have 16 additional Class C subnets of various sizes yet to define. BTW - (The reason I'm performing this fairly painful operation) - This is an INTRAnet implementation in a public library environment and each of the subnets has a number of PUBLIC devices in the mix. I need to DENY access from the world and ALLOW access only from staff devices. Does anyone see an obvious problem with the way I have set this up or any other ideas on why it may not be working? Thanks for any assistance. Steve Barrett ps - John, I apologize in advance for being long-winded. ============================================================ = Steven P. Barrett [log in to unmask] = = Systems Analyst = = Fairfax County Public Library (703) 222-3132 - Voice = = Technical Operations Center (703) 222-3135 - FAX = = 4000 Stringfellow Rd. = = Chantilly, VA 20151 = = = = --- The opinions expressed here are mine alone . --- = ============================================================