hosts.allow revision 56585 
120253Sjoerg#
220302Sjoerg# hosts.allow access control file for "tcp wrapped" applications.
320302Sjoerg# $FreeBSD: head/etc/hosts.allow 56585 2000-01-25 11:25:59Z obrien $
420253Sjoerg#
520253Sjoerg# NOTE: The hosts.deny file is no longer used.
620253Sjoerg#       Instead, put both 'allow' and 'deny' rules in the hosts.allow file.
720253Sjoerg#	See hosts_options(5) for the format of this file.
820253Sjoerg#	hosts_access(5) no longer fully applies.
920302Sjoerg
1020253Sjoerg#	 _____                                      _          _ 
1120253Sjoerg#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
1220253Sjoerg#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
1320253Sjoerg#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
1420302Sjoerg#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
1520253Sjoerg#					   |_|                   
1620253Sjoerg# !!! This is an example! You will need to modify it for your specific
1720302Sjoerg# !!! requirements!
1820253Sjoerg
1920253Sjoerg
2020253Sjoerg# Start by allowing everything (this prevents the rest of the file
2120253Sjoerg# from working, so remove it when you need protection).
2220253Sjoerg# The rules here work on a "First match wins" basis.
2320253SjoergALL : ALL : allow
2420253Sjoerg
2544229Sdavidn# Wrapping sshd(8) is not normally a good idea, but if you
2620253Sjoerg# need to do it, here's how
2720253Sjoerg#sshd : .evil.cracker.example.com : deny 
2830259Scharnier
2930259Scharnier# Prevent those with no reverse DNS from connecting.
3050479SpeterALL : PARANOID : RFC931 20 : deny
3130259Scharnier
3230259Scharnier# Allow anything from localhost
3330259ScharnierALL : localhost : allow
3430259ScharnierALL : my.machine.example.com : allow
3520253Sjoerg
3620253Sjoerg# Sendmail can help protect you against spammers and relay-rapers
3720253Sjoergsendmail : localhost : allow
3830259Scharniersendmail : .nice.guy.example.com : allow
3920253Sjoergsendmail : .evil.cracker.example.com : deny
4020555Sdavidnsendmail : ALL : allow
4120555Sdavidn
4220555Sdavidn# Exim is an alternative to sendmail, available in the ports tree
4364918Sgreenexim : localhost : allow
44242349Sbaptexim : .nice.guy.example.com : allow
45242349Sbaptexim : .evil.cracker.example.com : deny
46242349Sbaptexim : ALL : allow
4720253Sjoerg
4820253Sjoerg# Portmapper is used for all RPC services; protect your NFS!
4920253Sjoerg# (IP addresses rather than hostnames *MUST* be used here)
5023318Sacheportmap : localhost : allow
5122394Sdavidnportmap : .nice.guy.example.com : allow
5252512Sdavidnportmap : .evil.cracker.example.com : deny
5324214Sacheportmap : ALL : allow
54284111Sbapt
55284111Sbapt# Provide a small amount of protection for ftpd
5644386Sdavidnftpd : localhost : allow
5720253Sjoergftpd : .nice.guy.example.com : allow
5820253Sjoergftpd : .evil.cracker.example.com : deny
5920253Sjoergftpd : ALL : allow
6020253Sjoerg
6120253Sjoerg# You need to be clever with finger; do _not_ backfinger!! You can easily
6220253Sjoerg# start a "finger war".
6320253Sjoergfingerd : ALL \
6420253Sjoerg	: spawn (echo Finger. | \
6520253Sjoerg	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
6685145Sache	: deny
6720253Sjoerg
68283961Sbapt# The rest of the daemons are protected. Backfinger and log by email.
69283961SbaptALL : ALL \
70283961Sbapt	: severity auth.info : spawn (/usr/bin/finger -l @%h | \
71283961Sbapt	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
72283961Sbapt	: twist /bin/echo "You are not welcome to use %d from %h."
73283961Sbapt