| | 1 | # |
| | 2 | # hosts.allow access control file for "tcp wrapped" applications. |
| | 3 | # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ |
| | 4 | # $DragonFly: src/etc/hosts.allow,v 1.4 2008/08/10 21:29:16 hasso Exp $ |
| | 5 | # |
| | 6 | # NOTE: The hosts.deny file is deprecated. |
| | 7 | # Place both 'allow' and 'deny' rules in the hosts.allow file. |
| | 8 | # See hosts_options(5) for the format of this file. |
| | 9 | # hosts_access(5) no longer fully applies. |
| | 10 | |
| | 11 | # _____ _ _ |
| | 12 | # | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | |
| | 13 | # | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | |
| | 14 | # | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| |
| | 15 | # |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) |
| | 16 | # |_| |
| | 17 | # !!! This is an example! You will need to modify it for your specific |
| | 18 | # !!! requirements! |
| | 19 | |
| | 20 | |
| | 21 | # Start by allowing everything (this prevents the rest of the file |
| | 22 | # from working, so remove it when you need protection). |
| | 23 | # The rules here work on a "First match wins" basis. |
| | 24 | ALL : ALL : allow |
| | 25 | |
| | 26 | # Wrapping sshd(8) is not normally a good idea, but if you |
| | 27 | # need to do it, here's how |
| | 28 | #sshd : .evil.cracker.example.com : deny |
| | 29 | |
| | 30 | # Protect against simple DNS spoofing attacks by checking that the |
| | 31 | # forward and reverse records for the remote host match. If a mismatch |
| | 32 | # occurs, access is denied, and any positive ident response within |
| | 33 | # 20 seconds is logged. No protection is afforded against DNS poisoning, |
| | 34 | # IP spoofing or more complicated attacks. Hosts with no reverse DNS |
| | 35 | # pass this rule. |
| | 36 | ALL : PARANOID : RFC931 20 : deny |
| | 37 | |
| | 38 | # Allow anything from localhost. Note that an IP address (not a host |
| | 39 | # name) *MUST* be specified for portmap(8). |
| | 40 | ALL : localhost 127.0.0.1 : allow |
| | 41 | ALL : my.machine.example.com 192.0.2.35 : allow |
| | 42 | |
| | 43 | # To use IPv6 addresses you must enclose them in []'s |
| | 44 | ALL : [fe80::%fxp0]/10 : allow |
| | 45 | ALL : [fe80::]/10 : deny |
| | 46 | ALL : [2001:db8:2:1:2:3:4:3fe1] : deny |
| | 47 | ALL : [2001:db8:2:1::]/64 : allow |
| | 48 | |
| | 49 | # Sendmail can help protect you against spammers and relay-rapers |
| | 50 | sendmail : localhost : allow |
| | 51 | sendmail : .nice.guy.example.com : allow |
| | 52 | sendmail : .evil.cracker.example.com : deny |
| | 53 | sendmail : ALL : allow |
| | 54 | |
| | 55 | # Exim is an alternative to sendmail, available in the pkgsrc tree |
| | 56 | exim : localhost : allow |
| | 57 | exim : .nice.guy.example.com : allow |
| | 58 | exim : .evil.cracker.example.com : deny |
| | 59 | exim : ALL : allow |
| | 60 | |
| | 61 | # Portmapper is used for all RPC services; protect your NFS! |
| | 62 | # (IP addresses rather than hostnames *MUST* be used here) |
| | 63 | portmap : 192.0.2.32/255.255.255.224 : allow |
| | 64 | portmap : 192.0.2.96/255.255.255.224 : allow |
| | 65 | portmap : ALL : deny |
| | 66 | |
| | 67 | # Provide a small amount of protection for ftpd |
| | 68 | ftpd : localhost : allow |
| | 69 | ftpd : .nice.guy.example.com : allow |
| | 70 | ftpd : .evil.cracker.example.com : deny |
| | 71 | ftpd : ALL : allow |
| | 72 | |
| | 73 | # You need to be clever with finger; do _not_ backfinger!! You can easily |
| | 74 | # start a "finger war". |
| | 75 | fingerd : ALL \ |
| | 76 | : spawn (echo Finger. | \ |
| | 77 | /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ |
| | 78 | : deny |
| | 79 | |
| | 80 | # The rest of the daemons are protected. |
| | 81 | ALL : ALL \ |
| | 82 | : severity auth.info \ |
| | 83 | : twist /bin/echo "You are not welcome to use %d from %h." |
projects / dragonfly.git / blame_incremental