hosts.allow revision 56585
145088Smarkm# 256585Sobrien# hosts.allow access control file for "tcp wrapped" applications. 350472Speter# $FreeBSD: head/etc/hosts.allow 56585 2000-01-25 11:25:59Z obrien $ 445088Smarkm# 556585Sobrien# NOTE: The hosts.deny file is no longer used. 656585Sobrien# Instead, put both 'allow' and 'deny' rules in the hosts.allow file. 756585Sobrien# See hosts_options(5) for the format of this file. 856585Sobrien# hosts_access(5) no longer fully applies. 945088Smarkm 1053685Sobrien# _____ _ _ 1153685Sobrien# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | 1253685Sobrien# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | 1353685Sobrien# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| 1453685Sobrien# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) 1553685Sobrien# |_| 1653685Sobrien# !!! This is an example! You will need to modify it for your specific 1753685Sobrien# !!! requirements! 1845088Smarkm 1953685Sobrien 2045088Smarkm# Start by allowing everything (this prevents the rest of the file 2145088Smarkm# from working, so remove it when you need protection). 2245488Smarkm# The rules here work on a "First match wins" basis. 2345088SmarkmALL : ALL : allow 2445088Smarkm 2545088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you 2645088Smarkm# need to do it, here's how 2745488Smarkm#sshd : .evil.cracker.example.com : deny 2845088Smarkm 2945088Smarkm# Prevent those with no reverse DNS from connecting. 3045088SmarkmALL : PARANOID : RFC931 20 : deny 3145088Smarkm 3245088Smarkm# Allow anything from localhost 3345088SmarkmALL : localhost : allow 3445488SmarkmALL : my.machine.example.com : allow 3545088Smarkm 3645088Smarkm# Sendmail can help protect you against spammers and relay-rapers 3745088Smarkmsendmail : localhost : allow 3845488Smarkmsendmail : .nice.guy.example.com : allow 3945488Smarkmsendmail : .evil.cracker.example.com : deny 4045088Smarkmsendmail : ALL : allow 4145088Smarkm 4249394Ssheldonh# Exim is an alternative to sendmail, available in the ports tree 4349394Ssheldonhexim : localhost : allow 4449394Ssheldonhexim : .nice.guy.example.com : allow 4549394Ssheldonhexim : .evil.cracker.example.com : deny 4649394Ssheldonhexim : ALL : allow 4749394Ssheldonh 4845488Smarkm# Portmapper is used for all RPC services; protect your NFS! 4953685Sobrien# (IP addresses rather than hostnames *MUST* be used here) 5045488Smarkmportmap : localhost : allow 5145488Smarkmportmap : .nice.guy.example.com : allow 5245488Smarkmportmap : .evil.cracker.example.com : deny 5345488Smarkmportmap : ALL : allow 5445488Smarkm 5545088Smarkm# Provide a small amount of protection for ftpd 5645488Smarkmftpd : localhost : allow 5745488Smarkmftpd : .nice.guy.example.com : allow 5845488Smarkmftpd : .evil.cracker.example.com : deny 5945088Smarkmftpd : ALL : allow 6045088Smarkm 6145088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily 6245088Smarkm# start a "finger war". 6345088Smarkmfingerd : ALL \ 6445088Smarkm : spawn (echo Finger. | \ 6545088Smarkm /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 6645088Smarkm : deny 6745088Smarkm 6845088Smarkm# The rest of the daemons are protected. Backfinger and log by email. 6945088SmarkmALL : ALL \ 7046667Sobrien : severity auth.info : spawn (/usr/bin/finger -l @%h | \ 7145088Smarkm /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 7245088Smarkm : twist /bin/echo "You are not welcome to use %d from %h." 73