hosts.allow revision 130151
1215976Sjmallett# 2215976Sjmallett# hosts.allow access control file for "tcp wrapped" applications. 3215976Sjmallett# $FreeBSD: head/etc/hosts.allow 130151 2004-06-06 11:46:29Z schweikh $ 4215976Sjmallett# 5215976Sjmallett# NOTE: The hosts.deny file is deprecated. 6215976Sjmallett# Place both 'allow' and 'deny' rules in the hosts.allow file. 7215976Sjmallett# See hosts_options(5) for the format of this file. 8215976Sjmallett# hosts_access(5) no longer fully applies. 9215976Sjmallett 10215976Sjmallett# _____ _ _ 11215976Sjmallett# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | 12215976Sjmallett# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | 13215976Sjmallett# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| 14215976Sjmallett# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) 15215976Sjmallett# |_| 16215976Sjmallett# !!! This is an example! You will need to modify it for your specific 17215976Sjmallett# !!! requirements! 18215976Sjmallett 19215976Sjmallett 20215976Sjmallett# Start by allowing everything (this prevents the rest of the file 21215976Sjmallett# from working, so remove it when you need protection). 22215976Sjmallett# The rules here work on a "First match wins" basis. 23215976SjmallettALL : ALL : allow 24215976Sjmallett 25215976Sjmallett# Wrapping sshd(8) is not normally a good idea, but if you 26215976Sjmallett# need to do it, here's how 27215976Sjmallett#sshd : .evil.cracker.example.com : deny 28215976Sjmallett 29215976Sjmallett# Protect against simple DNS spoofing attacks by checking that the 30215976Sjmallett# forward and reverse records for the remote host match. If a mismatch 31215976Sjmallett# occurs, access is denied, and any positive ident response within 32215976Sjmallett# 20 seconds is logged. No protection is afforded against DNS poisoning, 33215976Sjmallett# IP spoofing or more complicated attacks. Hosts with no reverse DNS 34215976Sjmallett# pass this rule. 35215976SjmallettALL : PARANOID : RFC931 20 : deny 36215976Sjmallett 37215976Sjmallett# Allow anything from localhost. Note that an IP address (not a host 38215976Sjmallett# name) *MUST* be specified for rpcbind(8). 39215976SjmallettALL : localhost 127.0.0.1 : allow 40215976SjmallettALL : my.machine.example.com 192.0.2.35 : allow 41215976Sjmallett 42215976Sjmallett# To use IPv6 addresses you must enclose them in []'s 43215976SjmallettALL : [fe80::%fxp0]/10 : allow 44215976SjmallettALL : [fe80::]/10 : deny 45215976SjmallettALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny 46215976SjmallettALL : [3ffe:fffe:2:1::]/64 : allow 47215976Sjmallett 48215976Sjmallett# Sendmail can help protect you against spammers and relay-rapers 49215976Sjmallettsendmail : localhost : allow 50215976Sjmallettsendmail : .nice.guy.example.com : allow 51215976Sjmallettsendmail : .evil.cracker.example.com : deny 52215976Sjmallettsendmail : ALL : allow 53215976Sjmallett 54215976Sjmallett# Exim is an alternative to sendmail, available in the ports tree 55215976Sjmallettexim : localhost : allow 56215976Sjmallettexim : .nice.guy.example.com : allow 57215976Sjmallettexim : .evil.cracker.example.com : deny 58215976Sjmallettexim : ALL : allow 59215976Sjmallett 60215976Sjmallett# Rpcbind is used for all RPC services; protect your NFS! 61215976Sjmallett# (IP addresses rather than hostnames *MUST* be used here) 62215990Sjmallettrpcbind : 192.0.2.32/255.255.255.224 : allow 63215976Sjmallettrpcbind : 192.0.2.96/255.255.255.224 : allow 64215990Sjmallettrpcbind : ALL : deny 65215976Sjmallett 66215976Sjmallett# NIS master server. Only local nets should have access 67215976Sjmallettypserv : localhost : allow 68215976Sjmallettypserv : .unsafe.my.net.example.com : deny 69215976Sjmallettypserv : .my.net.example.com : allow 70215976Sjmallettypserv : ALL : deny 71215976Sjmallett 72215976Sjmallett# Provide a small amount of protection for ftpd 73215976Sjmallettftpd : localhost : allow 74215976Sjmallettftpd : .nice.guy.example.com : allow 75215976Sjmallettftpd : .evil.cracker.example.com : deny 76215976Sjmallettftpd : ALL : allow 77215976Sjmallett 78215976Sjmallett# You need to be clever with finger; do _not_ backfinger!! You can easily 79215976Sjmallett# start a "finger war". 80215976Sjmallettfingerd : ALL \ 81215976Sjmallett : spawn (echo Finger. | \ 82215976Sjmallett /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 83215976Sjmallett : deny 84215976Sjmallett 85215976Sjmallett# The rest of the daemons are protected. 86215976SjmallettALL : ALL \ 87215976Sjmallett : severity auth.info \ 88215976Sjmallett : twist /bin/echo "You are not welcome to use %d from %h." 89215976Sjmallett