hosts.allow revision 53685
13125Sdg# 23125Sdg# hosts.allow access control file for "tcp wrapped" apps. 33125Sdg# $FreeBSD: head/etc/hosts.allow 53685 1999-11-25 03:00:44Z obrien $ 43125Sdg# 53125Sdg# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' 63125Sdg# and 'deny' rules in the hosts.allow file. 73125Sdg# see hosts_options(5) for the format of this file. 83125Sdg# hosts_access(5) no longer fully applies. 93125Sdg 103125Sdg# _____ _ _ 113125Sdg# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | 123125Sdg# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | 133125Sdg# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| 143125Sdg# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) 153125Sdg# |_| 163125Sdg# !!! This is an example! You will need to modify it for your specific 173125Sdg# !!! requirements! 183125Sdg 193125Sdg 203125Sdg# Start by allowing everything (this prevents the rest of the file 213125Sdg# from working, so remove it when you need protection). 223125Sdg# The rules here work on a "First match wins" basis. 233125SdgALL : ALL : allow 243125Sdg 253125Sdg# Wrapping sshd(8) is not normally a good idea, but if you 263125Sdg# need to do it, here's how 273125Sdg#sshd : .evil.cracker.example.com : deny 283125Sdg 293125Sdg# Prevent those with no reverse DNS from connecting. 303125SdgALL : PARANOID : RFC931 20 : deny 313125Sdg 328857Srgrimes# Allow anything from localhost 333125SdgALL : localhost : allow 343125SdgALL : my.machine.example.com : allow 353125Sdg 363125Sdg# Sendmail can help protect you against spammers and relay-rapers 373125Sdgsendmail : localhost : allow 383125Sdgsendmail : .nice.guy.example.com : allow 393125Sdgsendmail : .evil.cracker.example.com : deny 403125Sdgsendmail : ALL : allow 413125Sdg 423125Sdg# Exim is an alternative to sendmail, available in the ports tree 433125Sdgexim : localhost : allow 443125Sdgexim : .nice.guy.example.com : allow 453125Sdgexim : .evil.cracker.example.com : deny 463125Sdgexim : ALL : allow 473125Sdg 483125Sdg# Portmapper is used for all RPC services; protect your NFS! 493125Sdg# (IP addresses rather than hostnames *MUST* be used here) 503125Sdgportmap : localhost : allow 513125Sdgportmap : .nice.guy.example.com : allow 523125Sdgportmap : .evil.cracker.example.com : deny 533125Sdgportmap : ALL : allow 543125Sdg 553125Sdg# Provide a small amount of protection for ftpd 563125Sdgftpd : localhost : allow 573125Sdgftpd : .nice.guy.example.com : allow 583125Sdgftpd : .evil.cracker.example.com : deny 593125Sdgftpd : ALL : allow 603125Sdg 613125Sdg# You need to be clever with finger; do _not_ backfinger!! You can easily 623125Sdg# start a "finger war". 633125Sdgfingerd : ALL \ 643125Sdg : spawn (echo Finger. | \ 653125Sdg /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 663125Sdg : deny 673125Sdg 683125Sdg# The rest of the daemons are protected. Backfinger and log by email. 693125SdgALL : ALL \ 703125Sdg : severity auth.info : spawn (/usr/bin/finger -l @%h | \ 713125Sdg /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 723125Sdg : twist /bin/echo "You are not welcome to use %d from %h." 733125Sdg