hosts.allow revision 56585 
145088Smarkm#
256585Sobrien# hosts.allow access control file for "tcp wrapped" applications.
350472Speter# $FreeBSD: head/etc/hosts.allow 56585 2000-01-25 11:25:59Z obrien $
445088Smarkm#
556585Sobrien# NOTE: The hosts.deny file is no longer used.
656585Sobrien#       Instead, put both 'allow' and 'deny' rules in the hosts.allow file.
756585Sobrien#	See hosts_options(5) for the format of this file.
856585Sobrien#	hosts_access(5) no longer fully applies.
945088Smarkm
1053685Sobrien#	 _____                                      _          _ 
1153685Sobrien#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
1253685Sobrien#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
1353685Sobrien#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
1453685Sobrien#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
1553685Sobrien#					   |_|                   
1653685Sobrien# !!! This is an example! You will need to modify it for your specific
1753685Sobrien# !!! requirements!
1845088Smarkm
1953685Sobrien
2045088Smarkm# Start by allowing everything (this prevents the rest of the file
2145088Smarkm# from working, so remove it when you need protection).
2245488Smarkm# The rules here work on a "First match wins" basis.
2345088SmarkmALL : ALL : allow
2445088Smarkm
2545088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you
2645088Smarkm# need to do it, here's how
2745488Smarkm#sshd : .evil.cracker.example.com : deny 
2845088Smarkm
2945088Smarkm# Prevent those with no reverse DNS from connecting.
3045088SmarkmALL : PARANOID : RFC931 20 : deny
3145088Smarkm
3245088Smarkm# Allow anything from localhost
3345088SmarkmALL : localhost : allow
3445488SmarkmALL : my.machine.example.com : allow
3545088Smarkm
3645088Smarkm# Sendmail can help protect you against spammers and relay-rapers
3745088Smarkmsendmail : localhost : allow
3845488Smarkmsendmail : .nice.guy.example.com : allow
3945488Smarkmsendmail : .evil.cracker.example.com : deny
4045088Smarkmsendmail : ALL : allow
4145088Smarkm
4249394Ssheldonh# Exim is an alternative to sendmail, available in the ports tree
4349394Ssheldonhexim : localhost : allow
4449394Ssheldonhexim : .nice.guy.example.com : allow
4549394Ssheldonhexim : .evil.cracker.example.com : deny
4649394Ssheldonhexim : ALL : allow
4749394Ssheldonh
4845488Smarkm# Portmapper is used for all RPC services; protect your NFS!
4953685Sobrien# (IP addresses rather than hostnames *MUST* be used here)
5045488Smarkmportmap : localhost : allow
5145488Smarkmportmap : .nice.guy.example.com : allow
5245488Smarkmportmap : .evil.cracker.example.com : deny
5345488Smarkmportmap : ALL : allow
5445488Smarkm
5545088Smarkm# Provide a small amount of protection for ftpd
5645488Smarkmftpd : localhost : allow
5745488Smarkmftpd : .nice.guy.example.com : allow
5845488Smarkmftpd : .evil.cracker.example.com : deny
5945088Smarkmftpd : ALL : allow
6045088Smarkm
6145088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily
6245088Smarkm# start a "finger war".
6345088Smarkmfingerd : ALL \
6445088Smarkm	: spawn (echo Finger. | \
6545088Smarkm	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
6645088Smarkm	: deny
6745088Smarkm
6845088Smarkm# The rest of the daemons are protected. Backfinger and log by email.
6945088SmarkmALL : ALL \
7046667Sobrien	: severity auth.info : spawn (/usr/bin/finger -l @%h | \
7145088Smarkm	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
7245088Smarkm	: twist /bin/echo "You are not welcome to use %d from %h."
73