hosts.allow revision 60031 
145088Smarkm#
256585Sobrien# hosts.allow access control file for "tcp wrapped" applications.
350472Speter# $FreeBSD: head/etc/hosts.allow 60031 2000-05-05 08:31:59Z sheldonh $
445088Smarkm#
558750Scwt# NOTE: The hosts.deny file is deprecated.
658750Scwt#       Place both 'allow' and 'deny' rules in the hosts.allow file.
756585Sobrien#	See hosts_options(5) for the format of this file.
856585Sobrien#	hosts_access(5) no longer fully applies.
945088Smarkm
1053685Sobrien#	 _____                                      _          _ 
1153685Sobrien#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
1253685Sobrien#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
1353685Sobrien#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
1453685Sobrien#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
1553685Sobrien#					   |_|                   
1653685Sobrien# !!! This is an example! You will need to modify it for your specific
1753685Sobrien# !!! requirements!
1845088Smarkm
1953685Sobrien
2045088Smarkm# Start by allowing everything (this prevents the rest of the file
2145088Smarkm# from working, so remove it when you need protection).
2245488Smarkm# The rules here work on a "First match wins" basis.
2345088SmarkmALL : ALL : allow
2445088Smarkm
2545088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you
2645088Smarkm# need to do it, here's how
2745488Smarkm#sshd : .evil.cracker.example.com : deny 
2845088Smarkm
2945088Smarkm# Prevent those with no reverse DNS from connecting.
3045088SmarkmALL : PARANOID : RFC931 20 : deny
3145088Smarkm
3260031Ssheldonh# Allow anything from localhost.  Note that an IP address (not a host
3360031Ssheldonh# name) *MUST* be specified for portmap(8).
3460031SsheldonhALL : localhost 127.0.0.1 : allow
3560031SsheldonhALL : my.machine.example.com 192.0.2.35 : allow
3645088Smarkm
3745088Smarkm# Sendmail can help protect you against spammers and relay-rapers
3845088Smarkmsendmail : localhost : allow
3945488Smarkmsendmail : .nice.guy.example.com : allow
4045488Smarkmsendmail : .evil.cracker.example.com : deny
4145088Smarkmsendmail : ALL : allow
4245088Smarkm
4349394Ssheldonh# Exim is an alternative to sendmail, available in the ports tree
4449394Ssheldonhexim : localhost : allow
4549394Ssheldonhexim : .nice.guy.example.com : allow
4649394Ssheldonhexim : .evil.cracker.example.com : deny
4749394Ssheldonhexim : ALL : allow
4849394Ssheldonh
4945488Smarkm# Portmapper is used for all RPC services; protect your NFS!
5053685Sobrien# (IP addresses rather than hostnames *MUST* be used here)
5158750Scwtportmap : 192.0.2.32/255.255.255.224 : allow
5258750Scwtportmap : 192.0.2.96/255.255.255.224 : allow
5358750Scwtportmap : ALL : deny
5445488Smarkm
5545088Smarkm# Provide a small amount of protection for ftpd
5645488Smarkmftpd : localhost : allow
5745488Smarkmftpd : .nice.guy.example.com : allow
5845488Smarkmftpd : .evil.cracker.example.com : deny
5945088Smarkmftpd : ALL : allow
6045088Smarkm
6145088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily
6245088Smarkm# start a "finger war".
6345088Smarkmfingerd : ALL \
6445088Smarkm	: spawn (echo Finger. | \
6545088Smarkm	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
6645088Smarkm	: deny
6745088Smarkm
6857284Sjkh# The rest of the daemons are protected.
6945088SmarkmALL : ALL \
7057284Sjkh	: severity auth.info \
7145088Smarkm	: twist /bin/echo "You are not welcome to use %d from %h."
72