hosts.allow revision 159140
145088Smarkm# 256585Sobrien# hosts.allow access control file for "tcp wrapped" applications. 350472Speter# $FreeBSD: head/etc/hosts.allow 159140 2006-06-01 14:14:58Z csjp $ 445088Smarkm# 558750Scwt# NOTE: The hosts.deny file is deprecated. 658750Scwt# Place both 'allow' and 'deny' rules in the hosts.allow file. 756585Sobrien# See hosts_options(5) for the format of this file. 856585Sobrien# hosts_access(5) no longer fully applies. 945088Smarkm 10130151Sschweikh# _____ _ _ 1153685Sobrien# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | 1253685Sobrien# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | 1353685Sobrien# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| 1453685Sobrien# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) 15130151Sschweikh# |_| 1653685Sobrien# !!! This is an example! You will need to modify it for your specific 1753685Sobrien# !!! requirements! 1845088Smarkm 1953685Sobrien 2045088Smarkm# Start by allowing everything (this prevents the rest of the file 2145088Smarkm# from working, so remove it when you need protection). 2245488Smarkm# The rules here work on a "First match wins" basis. 2345088SmarkmALL : ALL : allow 2445088Smarkm 2545088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you 2645088Smarkm# need to do it, here's how 27130151Sschweikh#sshd : .evil.cracker.example.com : deny 2845088Smarkm 2981890Sdwmalone# Protect against simple DNS spoofing attacks by checking that the 3081890Sdwmalone# forward and reverse records for the remote host match. If a mismatch 3181890Sdwmalone# occurs, access is denied, and any positive ident response within 3281890Sdwmalone# 20 seconds is logged. No protection is afforded against DNS poisoning, 3381890Sdwmalone# IP spoofing or more complicated attacks. Hosts with no reverse DNS 3481890Sdwmalone# pass this rule. 3545088SmarkmALL : PARANOID : RFC931 20 : deny 3645088Smarkm 3760031Ssheldonh# Allow anything from localhost. Note that an IP address (not a host 3874537Salfred# name) *MUST* be specified for rpcbind(8). 39155756SumeALL : localhost 127.0.0.1 : allow 40156813Sru# Comment out next line if you build libwrap without IPv6 support. 41155756SumeALL : [::1] : allow 4260031SsheldonhALL : my.machine.example.com 192.0.2.35 : allow 4345088Smarkm 4463515Sume# To use IPv6 addresses you must enclose them in []'s 4563515SumeALL : [fe80::%fxp0]/10 : allow 4663515SumeALL : [fe80::]/10 : deny 47133065SumeALL : [2001:db8:2:1:2:3:4:3fe1] : deny 48133065SumeALL : [2001:db8:2:1::]/64 : allow 4963515Sume 5045088Smarkm# Sendmail can help protect you against spammers and relay-rapers 5145088Smarkmsendmail : localhost : allow 5245488Smarkmsendmail : .nice.guy.example.com : allow 5345488Smarkmsendmail : .evil.cracker.example.com : deny 5445088Smarkmsendmail : ALL : allow 5545088Smarkm 5649394Ssheldonh# Exim is an alternative to sendmail, available in the ports tree 5749394Ssheldonhexim : localhost : allow 5849394Ssheldonhexim : .nice.guy.example.com : allow 5949394Ssheldonhexim : .evil.cracker.example.com : deny 6049394Ssheldonhexim : ALL : allow 6149394Ssheldonh 6276030Salex# Rpcbind is used for all RPC services; protect your NFS! 6353685Sobrien# (IP addresses rather than hostnames *MUST* be used here) 6474537Salfredrpcbind : 192.0.2.32/255.255.255.224 : allow 6574537Salfredrpcbind : 192.0.2.96/255.255.255.224 : allow 6674537Salfredrpcbind : ALL : deny 6745488Smarkm 6890319Smarkm# NIS master server. Only local nets should have access 69159140Scsjp# (Since this is an RPC service, rpcbind needs to be considered) 7090319Smarkmypserv : localhost : allow 7190319Smarkmypserv : .unsafe.my.net.example.com : deny 7290319Smarkmypserv : .my.net.example.com : allow 7390319Smarkmypserv : ALL : deny 7490319Smarkm 7545088Smarkm# Provide a small amount of protection for ftpd 7645488Smarkmftpd : localhost : allow 7745488Smarkmftpd : .nice.guy.example.com : allow 7845488Smarkmftpd : .evil.cracker.example.com : deny 7945088Smarkmftpd : ALL : allow 8045088Smarkm 8145088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily 8245088Smarkm# start a "finger war". 8345088Smarkmfingerd : ALL \ 8445088Smarkm : spawn (echo Finger. | \ 8545088Smarkm /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 8645088Smarkm : deny 8745088Smarkm 8857284Sjkh# The rest of the daemons are protected. 8945088SmarkmALL : ALL \ 9057284Sjkh : severity auth.info \ 9145088Smarkm : twist /bin/echo "You are not welcome to use %d from %h." 92