hosts.allow revision 58750 
1262569Simp#
2262569Simp# hosts.allow access control file for "tcp wrapped" applications.
3262569Simp# $FreeBSD: head/etc/hosts.allow 58750 2000-03-28 17:28:56Z cwt $
4262569Simp#
5262569Simp# NOTE: The hosts.deny file is deprecated.
6262569Simp#       Place both 'allow' and 'deny' rules in the hosts.allow file.
7262569Simp#	See hosts_options(5) for the format of this file.
8262569Simp#	hosts_access(5) no longer fully applies.
9262569Simp
10262569Simp#	 _____                                      _          _ 
11262569Simp#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
12262569Simp#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
13262569Simp#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
14262569Simp#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
15262569Simp#					   |_|                   
16262569Simp# !!! This is an example! You will need to modify it for your specific
17262569Simp# !!! requirements!
18262569Simp
19262569Simp
20262569Simp# Start by allowing everything (this prevents the rest of the file
21262569Simp# from working, so remove it when you need protection).
22262569Simp# The rules here work on a "First match wins" basis.
23262569SimpALL : ALL : allow
24262569Simp
25262569Simp# Wrapping sshd(8) is not normally a good idea, but if you
26262569Simp# need to do it, here's how
27262569Simp#sshd : .evil.cracker.example.com : deny 
28262569Simp
29262569Simp# Prevent those with no reverse DNS from connecting.
30262569SimpALL : PARANOID : RFC931 20 : deny
31262569Simp
32262569Simp# Allow anything from localhost
33262569SimpALL : localhost : allow
34262569SimpALL : my.machine.example.com : allow
35262569Simp
36262569Simp# Sendmail can help protect you against spammers and relay-rapers
37262569Simpsendmail : localhost : allow
38262569Simpsendmail : .nice.guy.example.com : allow
39262569Simpsendmail : .evil.cracker.example.com : deny
40262569Simpsendmail : ALL : allow
41262569Simp
42262569Simp# Exim is an alternative to sendmail, available in the ports tree
43262569Simpexim : localhost : allow
44262569Simpexim : .nice.guy.example.com : allow
45262569Simpexim : .evil.cracker.example.com : deny
46262569Simpexim : ALL : allow
47262569Simp
48262569Simp# Portmapper is used for all RPC services; protect your NFS!
49262569Simp# (IP addresses rather than hostnames *MUST* be used here)
50262569Simpportmap : 192.0.2.32/255.255.255.224 : allow
51262569Simpportmap : 192.0.2.96/255.255.255.224 : allow
52262569Simpportmap : ALL : deny
53262569Simp
54262569Simp# Provide a small amount of protection for ftpd
55262569Simpftpd : localhost : allow
56262569Simpftpd : .nice.guy.example.com : allow
57262569Simpftpd : .evil.cracker.example.com : deny
58262569Simpftpd : ALL : allow
59262569Simp
60262569Simp# You need to be clever with finger; do _not_ backfinger!! You can easily
61262569Simp# start a "finger war".
62262569Simpfingerd : ALL \
63262569Simp	: spawn (echo Finger. | \
64284090Sian	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
65262569Simp	: deny
66262569Simp
67262569Simp# The rest of the daemons are protected.
68262569SimpALL : ALL \
69273712Sian	: severity auth.info \
70273712Sian	: twist /bin/echo "You are not welcome to use %d from %h."
71273712Sian