First decide if the options should apply to commands only in a particular directory, only to clients of a virtual server, only to anonymous clients, or to all users of your FTP server. On the per-directory, virtual server, anonymous FTP, and main pages is a form titled Add per-command options for. In the FTP commands field, enter one or more commands from the list above, separated by spaces. When you hit the Create button, your browser will be taken to the page shown in Figure 40.5.

Table 40.2. FTP Commands and Their Purposes

CWD	Change to a different current working directory (Like the UNIX cd command)
MKD	Create a new empty directory (Like the UNIX mkdir command)
RNFR	Rename an existing file or directory (Like the mv command)
DELE	Delete a file (Like the rm command)
RMD	Delete a directory, which must be empty (Like the rmdir command)
RETR	Download a file from the server to client
STOR	Upload a file from the client to server
SITE_CHMOD	Change the UNIX permissions on a file
READ	This is not a command, but a shorthand for all FTP commands that deal with file reading
WRITE	Again, this is not a command but a shorthand for all commands for writing or modifying files
DIRS	This is shorthand for all directory listing and movement commands
LOGIN	This one is not really an FTP command at all, but is used to represent client connections. See Section 40.15 “Restricting Clients by IP Address” for information on how to use it
ALL	Represents all FTP commands

Click on the Access Control icon to bring up a form for restricting who can use these commands.

To completely deny access to everyone, change the Access control policy field to Deny all clients. To allow access to everyone, select Allow all clients instead. This is most useful if you are editing options for commands within a directory and there is a set of options for the same commands at a higher level (such as for the virtual server or anonymous FTP) that denies access. For example, anonymous clients cannot typically use the WRITE commands, but you may want to allow it for a particular directory.

To only allow certain UNIX users or members of a certain group access to the commands, fill in the Only allow users and Only allow group fields. Multiple user or group names must be entered separated by spaces.

Certain users and groups can be denied while allowing everyone else access to the FTP commands, by filling in the Deny users and Deny groups fields.

The Restrict access table can be used to block clients from certain IP addresses by entering a series of rules. The three radio buttons at the top control the order in which entries in the table are evaluated. If Deny then allow is selected, any client that matches a Deny row or that does not match an Allow row will be blocked. Conversely, if Allow then deny is chosen only clients that match a Deny row and do not match an Allow row will be prevented from using the commands. This mode is also the default.

The table will always have one empty row for adding a new rule, and because this is a new set of per-command options, that is all it will contain. In the empty row, select either Allow or Deny from the Action menu. Then from the Condition menu, choose one of the following to determine which clients match and thus are allowed or denied:

All All clients match, no matter where they are from.

None No clients match the rule.

IP address Only clients from the IP address entered in the adjacent text field match.

Network Only clients from the entered IP network match. The network address must be a partial IP with a trailing dot, like 192.168.1.

Hostname Only clients whose IP address reverse resolves to the entered name match. You can specify an entire domain by putting a dot at the front, like .example.com.

If you want to add more than one rule, you will need to re-enter this page after saving so that a new blank row appears. To delete a rule, select the blank option from the Action menu.

When you are done choosing who can use the FTP commands, hit the Save button. Then, return to the module's main page and click Apply Changes to make the restrictions active.

Once a set of options for a command or commands has been created, an icon for them will appear on the main page, virtual server options page, anonymous FTP page, or directory options page, depending on where you created it. You can click on this icon to bring up the same per-command options page again and use the icons and forms to make any changes that you wish. It is also possible to change the commands that the options apply to by clicking on the Configure Commands icon and selecting different entries from the FTP commands list on the form that appears. Then hit the Save button, then the Apply Changes button back on the module's main page. Alternately, you can click on Delete commands config to remove the options for these commands from the configuration entirely.