Add an example hosts.allow for the (base system) tcp_wrappers.

Anyone with good ideas for this is welcome to contribute.
svn path=/head/; revision=45088
1999-03-28 10:47:26 +00:00 · 1999-03-28 10:47:26 +00:00 · f8b0e8c9ff · 2020-12-20 02:59:44 +00:00
commit f8b0e8c9ff
parent ccaba9fc2b
2 changed files with 52 additions and 4 deletions
--- a/etc/Makefile
+++ b/etc/Makefile
@ -1,12 +1,12 @@
 #	from: @(#)Makefile	5.11 (Berkeley) 5/21/91
-#	$Id: Makefile,v 1.193 1999/02/11 16:30:54 brian Exp $
+#	$Id: Makefile,v 1.194 1999/02/12 20:51:38 dillon Exp $

 SUBDIR=	sendmail

 BIN1=   aliases amd.map crontab csh.cshrc csh.login csh.logout dm.conf \
-	fbtab ftpusers gettytab group hosts host.conf hosts.equiv hosts.lpd \
-	inetd.conf auth.conf login.conf login.access motd modems networks \
-	newsyslog.conf pam.conf phones pccard.conf.sample \
+	fbtab ftpusers gettytab group hosts hosts.allow host.conf hosts.equiv \
+	hosts.lpd inetd.conf auth.conf login.conf login.access motd modems \
+	networks newsyslog.conf pam.conf phones pccard.conf.sample \
 	printcap profile protocols \
 	rc rc.atm rc.devfs rc.firewall rc.isdn rc.network rc.pccard \
 	rc.serial rc.shutdown rc.diskless1 rc.diskless2 \
--- a/etc/hosts.allow
+++ b/etc/hosts.allow
@ -0,0 +1,48 @@
+#
+# hosts.allow access control file for "tcp wrapped" apps.
+# $Id$
+#
+# NOTE: The hosts.deny file is not longer used.  Instead, put both 'allow'
+#       and 'deny' rules in the hosts.allow file.
+# see hosts_options(5) for the format of this file.
+# hosts_access(5) no longer fully applies.
+
+# This is an example! You will need to modify it for your specific
+# requirements!
+
+# Start by allowing everything (this prevents the rest of the file
+# from working, so remove it when you need protection).
+ALL : ALL : allow
+
+# Wrapping sshd(8) is not normally a good idea, but if you
+# need to do it, here's how
+#sshd : .evil.hacker.org : deny 
+
+# Prevent those with no reverse DNS from connecting.
+ALL : PARANOID : RFC931 20 : deny
+
+# Allow anything from localhost
+ALL : localhost : allow
+
+# Sendmail can help protect you against spammers and relay-rapers
+sendmail : localhost : allow
+sendmail : .mydomain.com : allow
+sendmail : .evil.spamnest.org : deny
+sendmail : ALL : allow
+
+# Provide a small amount of protection for ftpd
+ftpd : .warez.d00d.org : deny
+ftpd : ALL : allow
+
+# You need to be clever with finger; do _not_ backfinger!! You can easily
+# start a "finger war".
+fingerd : ALL \
+	: spawn (echo Finger. | \
+	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
+	: deny
+
+# The rest of the daemons are protected. Backfinger and log by email.
+ALL : ALL \
+	: severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \
+	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
+	: twist /bin/echo "You are not welcome to use %d from %h."