hosts.allow revision 56585
1146773Ssam# 2146773Ssam# hosts.allow access control file for "tcp wrapped" applications. 3146773Ssam# $FreeBSD: head/etc/hosts.allow 56585 2000-01-25 11:25:59Z obrien $ 4146773Ssam# 5146773Ssam# NOTE: The hosts.deny file is no longer used. 6146773Ssam# Instead, put both 'allow' and 'deny' rules in the hosts.allow file. 7146773Ssam# See hosts_options(5) for the format of this file. 8146773Ssam# hosts_access(5) no longer fully applies. 9146773Ssam 10146773Ssam# _____ _ _ 11146773Ssam# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | 12146773Ssam# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | 13146773Ssam# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| 14146773Ssam# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) 15146773Ssam# |_| 16146773Ssam# !!! This is an example! You will need to modify it for your specific 17146773Ssam# !!! requirements! 18146773Ssam 19190207Srpaulo 20146773Ssam# Start by allowing everything (this prevents the rest of the file 21146773Ssam# from working, so remove it when you need protection). 22146773Ssam# The rules here work on a "First match wins" basis. 23146773SsamALL : ALL : allow 24146773Ssam 25146773Ssam# Wrapping sshd(8) is not normally a good idea, but if you 26146773Ssam# need to do it, here's how 27146773Ssam#sshd : .evil.cracker.example.com : deny 28146773Ssam 29146773Ssam# Prevent those with no reverse DNS from connecting. 30146773SsamALL : PARANOID : RFC931 20 : deny 31146773Ssam 32146773Ssam# Allow anything from localhost 33146773SsamALL : localhost : allow 34146773SsamALL : my.machine.example.com : allow 35146773Ssam 36146773Ssam# Sendmail can help protect you against spammers and relay-rapers 37146773Ssamsendmail : localhost : allow 38146773Ssamsendmail : .nice.guy.example.com : allow 39146773Ssamsendmail : .evil.cracker.example.com : deny 40146773Ssamsendmail : ALL : allow 41146773Ssam 42146773Ssam# Exim is an alternative to sendmail, available in the ports tree 43146773Ssamexim : localhost : allow 44146773Ssamexim : .nice.guy.example.com : allow 45146773Ssamexim : .evil.cracker.example.com : deny 46146773Ssamexim : ALL : allow 47146773Ssam 48146773Ssam# Portmapper is used for all RPC services; protect your NFS! 49146773Ssam# (IP addresses rather than hostnames *MUST* be used here) 50146773Ssamportmap : localhost : allow 51146773Ssamportmap : .nice.guy.example.com : allow 52146773Ssamportmap : .evil.cracker.example.com : deny 53146773Ssamportmap : ALL : allow 54146773Ssam 55146773Ssam# Provide a small amount of protection for ftpd 56146773Ssamftpd : localhost : allow 57146773Ssamftpd : .nice.guy.example.com : allow 58146773Ssamftpd : .evil.cracker.example.com : deny 59146773Ssamftpd : ALL : allow 60146773Ssam 61146773Ssam# You need to be clever with finger; do _not_ backfinger!! You can easily 62146773Ssam# start a "finger war". 63146773Ssamfingerd : ALL \ 64146773Ssam : spawn (echo Finger. | \ 65146773Ssam /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 66146773Ssam : deny 67146773Ssam 68146773Ssam# The rest of the daemons are protected. Backfinger and log by email. 69146773SsamALL : ALL \ 70146773Ssam : severity auth.info : spawn (/usr/bin/finger -l @%h | \ 71146773Ssam /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 72146773Ssam : twist /bin/echo "You are not welcome to use %d from %h." 73146773Ssam