hosts.allow revision 58750 
145088Smarkm#
256585Sobrien# hosts.allow access control file for "tcp wrapped" applications.
350472Speter# $FreeBSD: head/etc/hosts.allow 58750 2000-03-28 17:28:56Z cwt $
445088Smarkm#
558750Scwt# NOTE: The hosts.deny file is deprecated.
658750Scwt#       Place both 'allow' and 'deny' rules in the hosts.allow file.
756585Sobrien#	See hosts_options(5) for the format of this file.
856585Sobrien#	hosts_access(5) no longer fully applies.
945088Smarkm
1053685Sobrien#	 _____                                      _          _ 
1153685Sobrien#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
1253685Sobrien#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
1353685Sobrien#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
1453685Sobrien#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
1553685Sobrien#					   |_|                   
1653685Sobrien# !!! This is an example! You will need to modify it for your specific
1753685Sobrien# !!! requirements!
1845088Smarkm
1953685Sobrien
2045088Smarkm# Start by allowing everything (this prevents the rest of the file
2145088Smarkm# from working, so remove it when you need protection).
2245488Smarkm# The rules here work on a "First match wins" basis.
2345088SmarkmALL : ALL : allow
2445088Smarkm
2545088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you
2645088Smarkm# need to do it, here's how
2745488Smarkm#sshd : .evil.cracker.example.com : deny 
2845088Smarkm
2945088Smarkm# Prevent those with no reverse DNS from connecting.
3045088SmarkmALL : PARANOID : RFC931 20 : deny
3145088Smarkm
3245088Smarkm# Allow anything from localhost
3345088SmarkmALL : localhost : allow
3445488SmarkmALL : my.machine.example.com : allow
3545088Smarkm
3645088Smarkm# Sendmail can help protect you against spammers and relay-rapers
3745088Smarkmsendmail : localhost : allow
3845488Smarkmsendmail : .nice.guy.example.com : allow
3945488Smarkmsendmail : .evil.cracker.example.com : deny
4045088Smarkmsendmail : ALL : allow
4145088Smarkm
4249394Ssheldonh# Exim is an alternative to sendmail, available in the ports tree
4349394Ssheldonhexim : localhost : allow
4449394Ssheldonhexim : .nice.guy.example.com : allow
4549394Ssheldonhexim : .evil.cracker.example.com : deny
4649394Ssheldonhexim : ALL : allow
4749394Ssheldonh
4845488Smarkm# Portmapper is used for all RPC services; protect your NFS!
4953685Sobrien# (IP addresses rather than hostnames *MUST* be used here)
5058750Scwtportmap : 192.0.2.32/255.255.255.224 : allow
5158750Scwtportmap : 192.0.2.96/255.255.255.224 : allow
5258750Scwtportmap : ALL : deny
5345488Smarkm
5445088Smarkm# Provide a small amount of protection for ftpd
5545488Smarkmftpd : localhost : allow
5645488Smarkmftpd : .nice.guy.example.com : allow
5745488Smarkmftpd : .evil.cracker.example.com : deny
5845088Smarkmftpd : ALL : allow
5945088Smarkm
6045088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily
6145088Smarkm# start a "finger war".
6245088Smarkmfingerd : ALL \
6345088Smarkm	: spawn (echo Finger. | \
6445088Smarkm	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
6545088Smarkm	: deny
6645088Smarkm
6757284Sjkh# The rest of the daemons are protected.
6845088SmarkmALL : ALL \
6957284Sjkh	: severity auth.info \
7045088Smarkm	: twist /bin/echo "You are not welcome to use %d from %h."
71