hosts.allow revision 50472
1# 2# hosts.allow access control file for "tcp wrapped" apps. 3# $FreeBSD: head/etc/hosts.allow 50472 1999-08-27 23:37:10Z peter $ 4# 5# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' 6# and 'deny' rules in the hosts.allow file. 7# see hosts_options(5) for the format of this file. 8# hosts_access(5) no longer fully applies. 9 10# This is an example! You will need to modify it for your specific 11# requirements! 12 13# Start by allowing everything (this prevents the rest of the file 14# from working, so remove it when you need protection). 15# The rules here work on a "First match wins" basis. 16ALL : ALL : allow 17 18# Wrapping sshd(8) is not normally a good idea, but if you 19# need to do it, here's how 20#sshd : .evil.cracker.example.com : deny 21 22# Prevent those with no reverse DNS from connecting. 23ALL : PARANOID : RFC931 20 : deny 24 25# Allow anything from localhost 26ALL : localhost : allow 27ALL : my.machine.example.com : allow 28 29# Sendmail can help protect you against spammers and relay-rapers 30sendmail : localhost : allow 31sendmail : .nice.guy.example.com : allow 32sendmail : .evil.cracker.example.com : deny 33sendmail : ALL : allow 34 35# Exim is an alternative to sendmail, available in the ports tree 36exim : localhost : allow 37exim : .nice.guy.example.com : allow 38exim : .evil.cracker.example.com : deny 39exim : ALL : allow 40 41# Portmapper is used for all RPC services; protect your NFS! 42portmap : localhost : allow 43portmap : .nice.guy.example.com : allow 44portmap : .evil.cracker.example.com : deny 45portmap : ALL : allow 46 47# Provide a small amount of protection for ftpd 48ftpd : localhost : allow 49ftpd : .nice.guy.example.com : allow 50ftpd : .evil.cracker.example.com : deny 51ftpd : ALL : allow 52 53# You need to be clever with finger; do _not_ backfinger!! You can easily 54# start a "finger war". 55fingerd : ALL \ 56 : spawn (echo Finger. | \ 57 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 58 : deny 59 60# The rest of the daemons are protected. Backfinger and log by email. 61ALL : ALL \ 62 : severity auth.info : spawn (/usr/bin/finger -l @%h | \ 63 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 64 : twist /bin/echo "You are not welcome to use %d from %h." 65