hosts.allow revision 56585 
1146773Ssam#
2146773Ssam# hosts.allow access control file for "tcp wrapped" applications.
3146773Ssam# $FreeBSD: head/etc/hosts.allow 56585 2000-01-25 11:25:59Z obrien $
4146773Ssam#
5146773Ssam# NOTE: The hosts.deny file is no longer used.
6146773Ssam#       Instead, put both 'allow' and 'deny' rules in the hosts.allow file.
7146773Ssam#	See hosts_options(5) for the format of this file.
8146773Ssam#	hosts_access(5) no longer fully applies.
9146773Ssam
10146773Ssam#	 _____                                      _          _ 
11146773Ssam#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
12146773Ssam#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
13146773Ssam#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
14146773Ssam#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
15146773Ssam#					   |_|                   
16146773Ssam# !!! This is an example! You will need to modify it for your specific
17146773Ssam# !!! requirements!
18146773Ssam
19190207Srpaulo
20146773Ssam# Start by allowing everything (this prevents the rest of the file
21146773Ssam# from working, so remove it when you need protection).
22146773Ssam# The rules here work on a "First match wins" basis.
23146773SsamALL : ALL : allow
24146773Ssam
25146773Ssam# Wrapping sshd(8) is not normally a good idea, but if you
26146773Ssam# need to do it, here's how
27146773Ssam#sshd : .evil.cracker.example.com : deny 
28146773Ssam
29146773Ssam# Prevent those with no reverse DNS from connecting.
30146773SsamALL : PARANOID : RFC931 20 : deny
31146773Ssam
32146773Ssam# Allow anything from localhost
33146773SsamALL : localhost : allow
34146773SsamALL : my.machine.example.com : allow
35146773Ssam
36146773Ssam# Sendmail can help protect you against spammers and relay-rapers
37146773Ssamsendmail : localhost : allow
38146773Ssamsendmail : .nice.guy.example.com : allow
39146773Ssamsendmail : .evil.cracker.example.com : deny
40146773Ssamsendmail : ALL : allow
41146773Ssam
42146773Ssam# Exim is an alternative to sendmail, available in the ports tree
43146773Ssamexim : localhost : allow
44146773Ssamexim : .nice.guy.example.com : allow
45146773Ssamexim : .evil.cracker.example.com : deny
46146773Ssamexim : ALL : allow
47146773Ssam
48146773Ssam# Portmapper is used for all RPC services; protect your NFS!
49146773Ssam# (IP addresses rather than hostnames *MUST* be used here)
50146773Ssamportmap : localhost : allow
51146773Ssamportmap : .nice.guy.example.com : allow
52146773Ssamportmap : .evil.cracker.example.com : deny
53146773Ssamportmap : ALL : allow
54146773Ssam
55146773Ssam# Provide a small amount of protection for ftpd
56146773Ssamftpd : localhost : allow
57146773Ssamftpd : .nice.guy.example.com : allow
58146773Ssamftpd : .evil.cracker.example.com : deny
59146773Ssamftpd : ALL : allow
60146773Ssam
61146773Ssam# You need to be clever with finger; do _not_ backfinger!! You can easily
62146773Ssam# start a "finger war".
63146773Ssamfingerd : ALL \
64146773Ssam	: spawn (echo Finger. | \
65146773Ssam	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
66146773Ssam	: deny
67146773Ssam
68146773Ssam# The rest of the daemons are protected. Backfinger and log by email.
69146773SsamALL : ALL \
70146773Ssam	: severity auth.info : spawn (/usr/bin/finger -l @%h | \
71146773Ssam	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
72146773Ssam	: twist /bin/echo "You are not welcome to use %d from %h."
73146773Ssam