freebsd-dev/etc/hosts.allow

#
# hosts.allow access control file for "tcp wrapped" apps.
# $FreeBSD$
#
# NOTE: The hosts.deny file is not longer used.  Instead, put both 'allow'
#       and 'deny' rules in the hosts.allow file.
# see hosts_options(5) for the format of this file.
# hosts_access(5) no longer fully applies.

#	 _____                                      _          _ 
#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
#					   |_|                   
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny 

# Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost
ALL : localhost : allow
ALL : my.machine.example.com : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
sendmail : .nice.guy.example.com : allow
sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
exim : .nice.guy.example.com : allow
exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Portmapper is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
portmap : localhost : allow
portmap : .nice.guy.example.com : allow
portmap : .evil.cracker.example.com : deny
portmap : ALL : allow

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
ftpd : .nice.guy.example.com : allow
ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
	: spawn (echo Finger. | \
	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
	: deny

# The rest of the daemons are protected. Backfinger and log by email.
ALL : ALL \
	: severity auth.info : spawn (/usr/bin/finger -l @%h | \
	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
	: twist /bin/echo "You are not welcome to use %d from %h."
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`#`
			`# hosts.allow access control file for "tcp wrapped" apps.`
$Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00			`# $FreeBSD$`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`#`
			`# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow'`
			`# and 'deny' rules in the hosts.allow file.`
			`# see hosts_options(5) for the format of this file.`
			`# hosts_access(5) no longer fully applies.`

MFS: note that only IP addresses work when wrapping the portmapper. Make clearer we consider this only an example, and admins should really write this file for their needs. 1999-11-25 03:00:44 +00:00			`# _____ _ _`
			`# \| ____\| __ __ __ _ _ __ ___ _ __ \| \| ___ \| \|`
			# \| _\| \ \/ / / _` \| \| '_ ` _ \ \| '_ \ \| \| / _ \ \| \|
			`# \| \|___ > < \| (_\| \| \| \| \| \| \| \| \| \|_) \| \| \| \| __/ \|_\|`
			`# \|_____\| /_/\_\ \__,_\| \|_\| \|_\| \|_\| \| .__/ \|_\| \___\| (_)`
			`# \|_\|`
			`# !!! This is an example! You will need to modify it for your specific`
			`# !!! requirements!`

Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00
			`# Start by allowing everything (this prevents the rest of the file`
			`# from working, so remove it when you need protection).`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`# The rules here work on a "First match wins" basis.`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`ALL : ALL : allow`

			`# Wrapping sshd(8) is not normally a good idea, but if you`
			`# need to do it, here's how`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`#sshd : .evil.cracker.example.com : deny`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00
			`# Prevent those with no reverse DNS from connecting.`
			`ALL : PARANOID : RFC931 20 : deny`

			`# Allow anything from localhost`
			`ALL : localhost : allow`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`ALL : my.machine.example.com : allow`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00
			`# Sendmail can help protect you against spammers and relay-rapers`
			`sendmail : localhost : allow`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`sendmail : .nice.guy.example.com : allow`
			`sendmail : .evil.cracker.example.com : deny`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`sendmail : ALL : allow`

Add a sample entry for Exim, in preparation for the upcoming behaviour change in the port, where TCP Wrapper support will become the default. Requested by: markm 1999-08-03 14:52:46 +00:00			`# Exim is an alternative to sendmail, available in the ports tree`
			`exim : localhost : allow`
			`exim : .nice.guy.example.com : allow`
			`exim : .evil.cracker.example.com : deny`
			`exim : ALL : allow`

Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`# Portmapper is used for all RPC services; protect your NFS!`
MFS: note that only IP addresses work when wrapping the portmapper. Make clearer we consider this only an example, and admins should really write this file for their needs. 1999-11-25 03:00:44 +00:00			`# (IP addresses rather than hostnames MUST be used here)`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`portmap : localhost : allow`
			`portmap : .nice.guy.example.com : allow`
			`portmap : .evil.cracker.example.com : deny`
			`portmap : ALL : allow`

Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`# Provide a small amount of protection for ftpd`
Use more politically correct examples, and expand the examples a bit. 1999-04-08 19:08:53 +00:00			`ftpd : localhost : allow`
			`ftpd : .nice.guy.example.com : allow`
			`ftpd : .evil.cracker.example.com : deny`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`ftpd : ALL : allow`

			`# You need to be clever with finger; do _not_ backfinger!! You can easily`
			`# start a "finger war".`
			`fingerd : ALL \`
			`: spawn (echo Finger. \| \`
			`/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \`
			`: deny`

			`# The rest of the daemons are protected. Backfinger and log by email.`
			`ALL : ALL \`
Use /usr/bin/finger rather than `safe_finger'. 1999-05-08 02:19:25 +00:00			`: severity auth.info : spawn (/usr/bin/finger -l @%h \| \`
Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. 1999-03-28 10:47:26 +00:00			`/usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \`
			`: twist /bin/echo "You are not welcome to use %d from %h."`