hosts.allow revision 156813
11897Swollman# 21897Swollman# hosts.allow access control file for "tcp wrapped" applications. 31897Swollman# $FreeBSD: head/etc/hosts.allow 156813 2006-03-17 18:54:44Z ru $ 41897Swollman# 51897Swollman# NOTE: The hosts.deny file is deprecated. 61897Swollman# Place both 'allow' and 'deny' rules in the hosts.allow file. 71897Swollman# See hosts_options(5) for the format of this file. 8100441Scharnier# hosts_access(5) no longer fully applies. 91897Swollman 101897Swollman# _____ _ _ 111897Swollman# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | 12100441Scharnier# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | 131897Swollman# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| 141897Swollman# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) 151897Swollman# |_| 16100441Scharnier# !!! This is an example! You will need to modify it for your specific 171897Swollman# !!! requirements! 181897Swollman 191897Swollman 20100441Scharnier# Start by allowing everything (this prevents the rest of the file 211897Swollman# from working, so remove it when you need protection). 221897Swollman# The rules here work on a "First match wins" basis. 231897SwollmanALL : ALL : allow 24100441Scharnier 251897Swollman# Wrapping sshd(8) is not normally a good idea, but if you 261897Swollman# need to do it, here's how 271897Swollman#sshd : .evil.cracker.example.com : deny 281897Swollman 2912798Swpaul# Protect against simple DNS spoofing attacks by checking that the 3012798Swpaul# forward and reverse records for the remote host match. If a mismatch 31100441Scharnier# occurs, access is denied, and any positive ident response within 321897Swollman# 20 seconds is logged. No protection is afforded against DNS poisoning, 33146833Sstefanf# IP spoofing or more complicated attacks. Hosts with no reverse DNS 3412798Swpaul# pass this rule. 351897SwollmanALL : PARANOID : RFC931 20 : deny 3627935Scharnier 371897Swollman# Allow anything from localhost. Note that an IP address (not a host 38100441Scharnier# name) *MUST* be specified for rpcbind(8). 39100441ScharnierALL : localhost 127.0.0.1 : allow 40100441Scharnier# Comment out next line if you build libwrap without IPv6 support. 411897SwollmanALL : [::1] : allow 428874SrgrimesALL : my.machine.example.com 192.0.2.35 : allow 438874Srgrimes 441897Swollman# To use IPv6 addresses you must enclose them in []'s 451897SwollmanALL : [fe80::%fxp0]/10 : allow 4627935ScharnierALL : [fe80::]/10 : deny 4727935ScharnierALL : [2001:db8:2:1:2:3:4:3fe1] : deny 481897SwollmanALL : [2001:db8:2:1::]/64 : allow 4912798Swpaul 5012798Swpaul# Sendmail can help protect you against spammers and relay-rapers 5112798Swpaulsendmail : localhost : allow 5212798Swpaulsendmail : .nice.guy.example.com : allow 531897Swollmansendmail : .evil.cracker.example.com : deny 5412798Swpaulsendmail : ALL : allow 5512798Swpaul 56149682Sstefanf# Exim is an alternative to sendmail, available in the ports tree 571897Swollmanexim : localhost : allow 581897Swollmanexim : .nice.guy.example.com : allow 59152398Sdwmaloneexim : .evil.cracker.example.com : deny 60152398Sdwmaloneexim : ALL : allow 61152398Sdwmalone 62152398Sdwmalone# Rpcbind is used for all RPC services; protect your NFS! 63152398Sdwmalone# (IP addresses rather than hostnames *MUST* be used here) 64152398Sdwmalonerpcbind : 192.0.2.32/255.255.255.224 : allow 65152398Sdwmalonerpcbind : 192.0.2.96/255.255.255.224 : allow 6617142Sjkhrpcbind : ALL : deny 6792921Simp 6892921Simp# NIS master server. Only local nets should have access 69152398Sdwmaloneypserv : localhost : allow 70152398Sdwmaloneypserv : .unsafe.my.net.example.com : deny 71152398Sdwmaloneypserv : .my.net.example.com : allow 7292921Simpypserv : ALL : deny 73152398Sdwmalone 7412798Swpaul# Provide a small amount of protection for ftpd 7512798Swpaulftpd : localhost : allow 7612798Swpaulftpd : .nice.guy.example.com : allow 7712798Swpaulftpd : .evil.cracker.example.com : deny 78152398Sdwmaloneftpd : ALL : allow 79231079Sdim 80152398Sdwmalone# You need to be clever with finger; do _not_ backfinger!! You can easily 8112798Swpaul# start a "finger war". 82152398Sdwmalonefingerd : ALL \ 831897Swollman : spawn (echo Finger. | \ 841897Swollman /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 85309505Sngie : deny 86152398Sdwmalone 8712798Swpaul# The rest of the daemons are protected. 8812798SwpaulALL : ALL \ 89309505Sngie : severity auth.info \ 901897Swollman : twist /bin/echo "You are not welcome to use %d from %h." 9112798Swpaul