hosts.allow revision 53685 
13125Sdg#
23125Sdg# hosts.allow access control file for "tcp wrapped" apps.
33125Sdg# $FreeBSD: head/etc/hosts.allow 53685 1999-11-25 03:00:44Z obrien $
43125Sdg#
53125Sdg# NOTE: The hosts.deny file is not longer used.  Instead, put both 'allow'
63125Sdg#       and 'deny' rules in the hosts.allow file.
73125Sdg# see hosts_options(5) for the format of this file.
83125Sdg# hosts_access(5) no longer fully applies.
93125Sdg
103125Sdg#	 _____                                      _          _ 
113125Sdg#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
123125Sdg#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
133125Sdg#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
143125Sdg#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
153125Sdg#					   |_|                   
163125Sdg# !!! This is an example! You will need to modify it for your specific
173125Sdg# !!! requirements!
183125Sdg
193125Sdg
203125Sdg# Start by allowing everything (this prevents the rest of the file
213125Sdg# from working, so remove it when you need protection).
223125Sdg# The rules here work on a "First match wins" basis.
233125SdgALL : ALL : allow
243125Sdg
253125Sdg# Wrapping sshd(8) is not normally a good idea, but if you
263125Sdg# need to do it, here's how
273125Sdg#sshd : .evil.cracker.example.com : deny 
283125Sdg
293125Sdg# Prevent those with no reverse DNS from connecting.
303125SdgALL : PARANOID : RFC931 20 : deny
313125Sdg
328857Srgrimes# Allow anything from localhost
333125SdgALL : localhost : allow
343125SdgALL : my.machine.example.com : allow
353125Sdg
363125Sdg# Sendmail can help protect you against spammers and relay-rapers
373125Sdgsendmail : localhost : allow
383125Sdgsendmail : .nice.guy.example.com : allow
393125Sdgsendmail : .evil.cracker.example.com : deny
403125Sdgsendmail : ALL : allow
413125Sdg
423125Sdg# Exim is an alternative to sendmail, available in the ports tree
433125Sdgexim : localhost : allow
443125Sdgexim : .nice.guy.example.com : allow
453125Sdgexim : .evil.cracker.example.com : deny
463125Sdgexim : ALL : allow
473125Sdg
483125Sdg# Portmapper is used for all RPC services; protect your NFS!
493125Sdg# (IP addresses rather than hostnames *MUST* be used here)
503125Sdgportmap : localhost : allow
513125Sdgportmap : .nice.guy.example.com : allow
523125Sdgportmap : .evil.cracker.example.com : deny
533125Sdgportmap : ALL : allow
543125Sdg
553125Sdg# Provide a small amount of protection for ftpd
563125Sdgftpd : localhost : allow
573125Sdgftpd : .nice.guy.example.com : allow
583125Sdgftpd : .evil.cracker.example.com : deny
593125Sdgftpd : ALL : allow
603125Sdg
613125Sdg# You need to be clever with finger; do _not_ backfinger!! You can easily
623125Sdg# start a "finger war".
633125Sdgfingerd : ALL \
643125Sdg	: spawn (echo Finger. | \
653125Sdg	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
663125Sdg	: deny
673125Sdg
683125Sdg# The rest of the daemons are protected. Backfinger and log by email.
693125SdgALL : ALL \
703125Sdg	: severity auth.info : spawn (/usr/bin/finger -l @%h | \
713125Sdg	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
723125Sdg	: twist /bin/echo "You are not welcome to use %d from %h."
733125Sdg