hosts.allow revision 74537 
145088Smarkm#
256585Sobrien# hosts.allow access control file for "tcp wrapped" applications.
350472Speter# $FreeBSD: head/etc/hosts.allow 74537 2001-03-20 21:02:39Z alfred $
445088Smarkm#
558750Scwt# NOTE: The hosts.deny file is deprecated.
658750Scwt#       Place both 'allow' and 'deny' rules in the hosts.allow file.
756585Sobrien#	See hosts_options(5) for the format of this file.
856585Sobrien#	hosts_access(5) no longer fully applies.
945088Smarkm
1053685Sobrien#	 _____                                      _          _ 
1153685Sobrien#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
1253685Sobrien#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
1353685Sobrien#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
1453685Sobrien#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
1553685Sobrien#					   |_|                   
1653685Sobrien# !!! This is an example! You will need to modify it for your specific
1753685Sobrien# !!! requirements!
1845088Smarkm
1953685Sobrien
2045088Smarkm# Start by allowing everything (this prevents the rest of the file
2145088Smarkm# from working, so remove it when you need protection).
2245488Smarkm# The rules here work on a "First match wins" basis.
2345088SmarkmALL : ALL : allow
2445088Smarkm
2545088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you
2645088Smarkm# need to do it, here's how
2745488Smarkm#sshd : .evil.cracker.example.com : deny 
2845088Smarkm
2945088Smarkm# Prevent those with no reverse DNS from connecting.
3045088SmarkmALL : PARANOID : RFC931 20 : deny
3145088Smarkm
3260031Ssheldonh# Allow anything from localhost.  Note that an IP address (not a host
3374537Salfred# name) *MUST* be specified for rpcbind(8).
3460031SsheldonhALL : localhost 127.0.0.1 : allow
3560031SsheldonhALL : my.machine.example.com 192.0.2.35 : allow
3645088Smarkm
3763515Sume# To use IPv6 addresses you must enclose them in []'s
3863515SumeALL : [fe80::%fxp0]/10 : allow
3963515SumeALL : [fe80::]/10 : deny
4063515SumeALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny
4163515SumeALL : [3ffe:fffe:2:1::]/64 : allow
4263515Sume
4345088Smarkm# Sendmail can help protect you against spammers and relay-rapers
4445088Smarkmsendmail : localhost : allow
4545488Smarkmsendmail : .nice.guy.example.com : allow
4645488Smarkmsendmail : .evil.cracker.example.com : deny
4745088Smarkmsendmail : ALL : allow
4845088Smarkm
4949394Ssheldonh# Exim is an alternative to sendmail, available in the ports tree
5049394Ssheldonhexim : localhost : allow
5149394Ssheldonhexim : .nice.guy.example.com : allow
5249394Ssheldonhexim : .evil.cracker.example.com : deny
5349394Ssheldonhexim : ALL : allow
5449394Ssheldonh
5545488Smarkm# Portmapper is used for all RPC services; protect your NFS!
5653685Sobrien# (IP addresses rather than hostnames *MUST* be used here)
5774537Salfredrpcbind : 192.0.2.32/255.255.255.224 : allow
5874537Salfredrpcbind : 192.0.2.96/255.255.255.224 : allow
5974537Salfredrpcbind : ALL : deny
6045488Smarkm
6145088Smarkm# Provide a small amount of protection for ftpd
6245488Smarkmftpd : localhost : allow
6345488Smarkmftpd : .nice.guy.example.com : allow
6445488Smarkmftpd : .evil.cracker.example.com : deny
6545088Smarkmftpd : ALL : allow
6645088Smarkm
6745088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily
6845088Smarkm# start a "finger war".
6945088Smarkmfingerd : ALL \
7045088Smarkm	: spawn (echo Finger. | \
7145088Smarkm	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
7245088Smarkm	: deny
7345088Smarkm
7457284Sjkh# The rest of the daemons are protected.
7545088SmarkmALL : ALL \
7657284Sjkh	: severity auth.info \
7745088Smarkm	: twist /bin/echo "You are not welcome to use %d from %h."
78