hosts.allow revision 49394 
145088Smarkm#
245088Smarkm# hosts.allow access control file for "tcp wrapped" apps.
349394Ssheldonh# $Id: hosts.allow,v 1.3 1999/05/08 02:19:25 obrien Exp $
445088Smarkm#
545088Smarkm# NOTE: The hosts.deny file is not longer used.  Instead, put both 'allow'
645088Smarkm#       and 'deny' rules in the hosts.allow file.
745088Smarkm# see hosts_options(5) for the format of this file.
845088Smarkm# hosts_access(5) no longer fully applies.
945088Smarkm
1045088Smarkm# This is an example! You will need to modify it for your specific
1145088Smarkm# requirements!
1245088Smarkm
1345088Smarkm# Start by allowing everything (this prevents the rest of the file
1445088Smarkm# from working, so remove it when you need protection).
1545488Smarkm# The rules here work on a "First match wins" basis.
1645088SmarkmALL : ALL : allow
1745088Smarkm
1845088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you
1945088Smarkm# need to do it, here's how
2045488Smarkm#sshd : .evil.cracker.example.com : deny 
2145088Smarkm
2245088Smarkm# Prevent those with no reverse DNS from connecting.
2345088SmarkmALL : PARANOID : RFC931 20 : deny
2445088Smarkm
2545088Smarkm# Allow anything from localhost
2645088SmarkmALL : localhost : allow
2745488SmarkmALL : my.machine.example.com : allow
2845088Smarkm
2945088Smarkm# Sendmail can help protect you against spammers and relay-rapers
3045088Smarkmsendmail : localhost : allow
3145488Smarkmsendmail : .nice.guy.example.com : allow
3245488Smarkmsendmail : .evil.cracker.example.com : deny
3345088Smarkmsendmail : ALL : allow
3445088Smarkm
3549394Ssheldonh# Exim is an alternative to sendmail, available in the ports tree
3649394Ssheldonhexim : localhost : allow
3749394Ssheldonhexim : .nice.guy.example.com : allow
3849394Ssheldonhexim : .evil.cracker.example.com : deny
3949394Ssheldonhexim : ALL : allow
4049394Ssheldonh
4145488Smarkm# Portmapper is used for all RPC services; protect your NFS!
4245488Smarkmportmap : localhost : allow
4345488Smarkmportmap : .nice.guy.example.com : allow
4445488Smarkmportmap : .evil.cracker.example.com : deny
4545488Smarkmportmap : ALL : allow
4645488Smarkm
4745088Smarkm# Provide a small amount of protection for ftpd
4845488Smarkmftpd : localhost : allow
4945488Smarkmftpd : .nice.guy.example.com : allow
5045488Smarkmftpd : .evil.cracker.example.com : deny
5145088Smarkmftpd : ALL : allow
5245088Smarkm
5345088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily
5445088Smarkm# start a "finger war".
5545088Smarkmfingerd : ALL \
5645088Smarkm	: spawn (echo Finger. | \
5745088Smarkm	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
5845088Smarkm	: deny
5945088Smarkm
6045088Smarkm# The rest of the daemons are protected. Backfinger and log by email.
6145088SmarkmALL : ALL \
6246667Sobrien	: severity auth.info : spawn (/usr/bin/finger -l @%h | \
6345088Smarkm	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
6445088Smarkm	: twist /bin/echo "You are not welcome to use %d from %h."
65