freebsd-dev/etc/hosts.allow

#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD$
#
# NOTE: The hosts.deny file is deprecated.
#       Place both 'allow' and 'deny' rules in the hosts.allow file.
#       See hosts_options(5) for the format of this file.
#       hosts_access(5) no longer fully applies.
#
#   _____                                      _          _
#  | ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
#  |  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
#  | |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
#  |_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
#                                     |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap without IPv6 support.
ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# Rpcbind should be running with -W option to support this.
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny

# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
	: spawn (echo Finger. | \
	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
	: deny

# The rest of the daemons are protected.
ALL : ALL \
	: severity auth.info \
	: twist /bin/echo "You are not welcome to use %d from %h."
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`#`
Fix English. Also use full spelling and reorg a little while I'm here. Submitted by: Andy Farkas <andyf@speednet.com.au> 2000-01-25 11:25:59 +00:00			`# hosts.allow access control file for "tcp wrapped" applications.`
$Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00			`# $FreeBSD$`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`#`
Clarify the disposition of hosts.deny and provide a logically consistent portmap example rule. Reviewed by: obrien, markm Obtained-good-ideas from: obrien 2000-03-28 17:28:56 +00:00			`# NOTE: The hosts.deny file is deprecated.`
			`# Place both 'allow' and 'deny' rules in the hosts.allow file.`
Allow info to display correctly in for varying tabstop settings The SAMPLE message and notes where tab seperated for some parts and hence displayed incorrectly unless tabstop was set to 8. Switch to spaces to it displays correctly independent of the tabstop setting. Sponsored by: Multiplay 2014-12-24 01:50:44 +00:00			`# See hosts_options(5) for the format of this file.`
			`# hosts_access(5) no longer fully applies.`
			`#`
			`# _____ _ _`
			`# \| ____\| __ __ __ _ _ __ ___ _ __ \| \| ___ \| \|`
			# \| _\| \ \/ / / _` \| \| '_ ` _ \ \| '_ \ \| \| / _ \ \| \|
			`# \| \|___ > < \| (_\| \| \| \| \| \| \| \| \| \|_) \| \| \| \| __/ \|_\|`
			`# \|_____\| /_/\_\ \__,_\| \|_\| \|_\| \|_\| \| .__/ \|_\| \___\| (_)`
			`# \|_\|`
MFS: note that only IP addresses work when wrapping the portmapper. Make clearer we consider this only an example, and admins should really write this file for their needs. 1999-11-25 03:00:44 +00:00			`# !!! This is an example! You will need to modify it for your specific`
			`# !!! requirements!`

Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00
			`# Start by allowing everything (this prevents the rest of the file`
			`# from working, so remove it when you need protection).`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`# The rules here work on a "First match wins" basis.`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`ALL : ALL : allow`

			`# Wrapping sshd(8) is not normally a good idea, but if you`
			`# need to do it, here's how`
Removed whitespace at BOF, EOL & EOF. 2004-06-06 11:46:29 +00:00			`#sshd : .evil.cracker.example.com : deny`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00
Clear up what the line "ALL : PARANOID : RFC931 20 : deny" means to tcp wrappers. The description is a little long, but hopefully accurate. 2001-08-18 14:22:52 +00:00			`# Protect against simple DNS spoofing attacks by checking that the`
			`# forward and reverse records for the remote host match. If a mismatch`
			`# occurs, access is denied, and any positive ident response within`
			`# 20 seconds is logged. No protection is afforded against DNS poisoning,`
			`# IP spoofing or more complicated attacks. Hosts with no reverse DNS`
			`# pass this rule.`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`ALL : PARANOID : RFC931 20 : deny`

Add IP addresses to the rules required to "Allow anything from localhost", since portmap(8) is included in "anything". Submitted by: Doug Barton <Doug@gorean.org> 2000-05-05 08:31:59 +00:00			`# Allow anything from localhost. Note that an IP address (not a host`
s/portmap/rpcbind Pointed out by: Hajimu UMEMOTO <ume@mahoroba.org> 2001-03-20 21:02:39 +00:00			`# name) MUST be specified for rpcbind(8).`
The libwrap built with NO_INET6=yes cannot parse an IPv6 address. So, mention it in comment. Submitted by: Dmitry Morozovsky <marck__at__rinet.ru> MFC after: 2 days 2006-02-16 14:46:03 +00:00			`ALL : localhost 127.0.0.1 : allow`
Reimplementation of world/kernel build options. For details, see: http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html The src.conf(5) manpage is to follow in a few days. Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine) 2006-03-17 18:54:44 +00:00			`# Comment out next line if you build libwrap without IPv6 support.`
The libwrap built with NO_INET6=yes cannot parse an IPv6 address. So, mention it in comment. Submitted by: Dmitry Morozovsky <marck__at__rinet.ru> MFC after: 2 days 2006-02-16 14:46:03 +00:00			`ALL : [::1] : allow`
Comment out lines that use example addresses and example.com names so that local changes can be made more easily (without having to comment these lines, and making the diff more readable). 2006-08-29 09:20:48 +00:00			`#ALL : my.machine.example.com 192.0.2.35 : allow`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00
Add some examples for IPv6 addresses. PR: conf/18614 Submitted by: James Housley <jim@thehousleys.net> 2000-07-19 13:05:58 +00:00			`# To use IPv6 addresses you must enclose them in []'s`
Comment out lines that use example addresses and example.com names so that local changes can be made more easily (without having to comment these lines, and making the diff more readable). 2006-08-29 09:20:48 +00:00			`#ALL : [fe80::%fxp0]/10 : allow`
			`#ALL : [fe80::]/10 : deny`
			`#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny`
			`#ALL : [2001:db8:2:1::]/64 : allow`
Add some examples for IPv6 addresses. PR: conf/18614 Submitted by: James Housley <jim@thehousleys.net> 2000-07-19 13:05:58 +00:00
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`# Sendmail can help protect you against spammers and relay-rapers`
			`sendmail : localhost : allow`
Comment out lines that use example addresses and example.com names so that local changes can be made more easily (without having to comment these lines, and making the diff more readable). 2006-08-29 09:20:48 +00:00			`#sendmail : .nice.guy.example.com : allow`
			`#sendmail : .evil.cracker.example.com : deny`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`sendmail : ALL : allow`

Add a sample entry for Exim, in preparation for the upcoming behaviour change in the port, where TCP Wrapper support will become the default. Requested by: markm 1999-08-03 14:52:46 +00:00			`# Exim is an alternative to sendmail, available in the ports tree`
			`exim : localhost : allow`
Comment out lines that use example addresses and example.com names so that local changes can be made more easily (without having to comment these lines, and making the diff more readable). 2006-08-29 09:20:48 +00:00			`#exim : .nice.guy.example.com : allow`
			`#exim : .evil.cracker.example.com : deny`
Add a sample entry for Exim, in preparation for the upcoming behaviour change in the port, where TCP Wrapper support will become the default. Requested by: markm 1999-08-03 14:52:46 +00:00			`exim : ALL : allow`

"Portmapper" -> "Rpcbind" in a comment. 2001-04-26 13:43:02 +00:00			`# Rpcbind is used for all RPC services; protect your NFS!`
Disable libwrap (TCP wrappers) support in rpcbind by default, introducing new command line options -W, to enable it when needed. On my tests this change by almost ten times improves rpcbind performance. No objections: many, net@ 2014-03-06 17:33:27 +00:00			`# Rpcbind should be running with -W option to support this.`
MFS: note that only IP addresses work when wrapping the portmapper. Make clearer we consider this only an example, and admins should really write this file for their needs. 1999-11-25 03:00:44 +00:00			`# (IP addresses rather than hostnames MUST be used here)`
Comment out lines that use example addresses and example.com names so that local changes can be made more easily (without having to comment these lines, and making the diff more readable). 2006-08-29 09:20:48 +00:00			`#rpcbind : 192.0.2.32/255.255.255.224 : allow`
			`#rpcbind : 192.0.2.96/255.255.255.224 : allow`
s/portmap/rpcbind Pointed out by: Hajimu UMEMOTO <ume@mahoroba.org> 2001-03-20 21:02:39 +00:00			`rpcbind : ALL : deny`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00
Enable TCP_WRAPPERs for the NIS server. The protection afforded is not massive, but usable. 2002-02-06 20:39:36 +00:00			`# NIS master server. Only local nets should have access`
Since NIS is an RPC based service, add a note that when adjusting access controls in NIS, similar access controls should be considered for the rpcbind as well. 2006-06-01 14:14:58 +00:00			`# (Since this is an RPC service, rpcbind needs to be considered)`
Enable TCP_WRAPPERs for the NIS server. The protection afforded is not massive, but usable. 2002-02-06 20:39:36 +00:00			`ypserv : localhost : allow`
Comment out lines that use example addresses and example.com names so that local changes can be made more easily (without having to comment these lines, and making the diff more readable). 2006-08-29 09:20:48 +00:00			`#ypserv : .unsafe.my.net.example.com : deny`
			`#ypserv : .my.net.example.com : allow`
Enable TCP_WRAPPERs for the NIS server. The protection afforded is not massive, but usable. 2002-02-06 20:39:36 +00:00			`ypserv : ALL : deny`

Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`# Provide a small amount of protection for ftpd`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`ftpd : localhost : allow`
Comment out lines that use example addresses and example.com names so that local changes can be made more easily (without having to comment these lines, and making the diff more readable). 2006-08-29 09:20:48 +00:00			`#ftpd : .nice.guy.example.com : allow`
			`#ftpd : .evil.cracker.example.com : deny`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`ftpd : ALL : allow`

			`# You need to be clever with finger; do _not_ backfinger!! You can easily`
			`# start a "finger war".`
			`fingerd : ALL \`
			`: spawn (echo Finger. \| \`
			`/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \`
			`: deny`

The default rule in this file actually sent mail to root as its default action when denying access to a service. Unfortunately, this also makes a dandy denial-of-service attack possible. Change to just log the event and shoot a "go away" response back down the socket. 2000-02-17 04:52:23 +00:00			`# The rest of the daemons are protected.`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`ALL : ALL \`
The default rule in this file actually sent mail to root as its default action when denying access to a service. Unfortunately, this also makes a dandy denial-of-service attack possible. Change to just log the event and shoot a "go away" response back down the socket. 2000-02-17 04:52:23 +00:00			`: severity auth.info \`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`: twist /bin/echo "You are not welcome to use %d from %h."`