| 1 | # |
| 2 | # hosts.allow access control file for "tcp wrapped" applications. |
| 3 | # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ |
| 4 | # $DragonFly: src/etc/hosts.allow,v 1.4 2008/08/10 21:29:16 hasso Exp $ |
| 5 | # |
| 6 | # NOTE: The hosts.deny file is deprecated. |
| 7 | # Place both 'allow' and 'deny' rules in the hosts.allow file. |
| 8 | # See hosts_options(5) for the format of this file. |
| 9 | # hosts_access(5) no longer fully applies. |
| 10 | |
| 11 | # _____ _ _ |
| 12 | # | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | |
| 13 | # | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | |
| 14 | # | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| |
| 15 | # |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) |
| 16 | # |_| |
| 17 | # !!! This is an example! You will need to modify it for your specific |
| 18 | # !!! requirements! |
| 19 | |
| 20 | |
| 21 | # Start by allowing everything (this prevents the rest of the file |
| 22 | # from working, so remove it when you need protection). |
| 23 | # The rules here work on a "First match wins" basis. |
| 24 | ALL : ALL : allow |
| 25 | |
| 26 | # Wrapping sshd(8) is not normally a good idea, but if you |
| 27 | # need to do it, here's how |
| 28 | #sshd : .evil.cracker.example.com : deny |
| 29 | |
| 30 | # Protect against simple DNS spoofing attacks by checking that the |
| 31 | # forward and reverse records for the remote host match. If a mismatch |
| 32 | # occurs, access is denied, and any positive ident response within |
| 33 | # 20 seconds is logged. No protection is afforded against DNS poisoning, |
| 34 | # IP spoofing or more complicated attacks. Hosts with no reverse DNS |
| 35 | # pass this rule. |
| 36 | ALL : PARANOID : RFC931 20 : deny |
| 37 | |
| 38 | # Allow anything from localhost. Note that an IP address (not a host |
| 39 | # name) *MUST* be specified for portmap(8). |
| 40 | ALL : localhost 127.0.0.1 : allow |
| 41 | ALL : my.machine.example.com 192.0.2.35 : allow |
| 42 | |
| 43 | # To use IPv6 addresses you must enclose them in []'s |
| 44 | ALL : [fe80::%fxp0]/10 : allow |
| 45 | ALL : [fe80::]/10 : deny |
| 46 | ALL : [2001:db8:2:1:2:3:4:3fe1] : deny |
| 47 | ALL : [2001:db8:2:1::]/64 : allow |
| 48 | |
| 49 | # Sendmail can help protect you against spammers and relay-rapers |
| 50 | sendmail : localhost : allow |
| 51 | sendmail : .nice.guy.example.com : allow |
| 52 | sendmail : .evil.cracker.example.com : deny |
| 53 | sendmail : ALL : allow |
| 54 | |
| 55 | # Exim is an alternative to sendmail, available in the pkgsrc tree |
| 56 | exim : localhost : allow |
| 57 | exim : .nice.guy.example.com : allow |
| 58 | exim : .evil.cracker.example.com : deny |
| 59 | exim : ALL : allow |
| 60 | |
| 61 | # Portmapper is used for all RPC services; protect your NFS! |
| 62 | # (IP addresses rather than hostnames *MUST* be used here) |
| 63 | portmap : 192.0.2.32/255.255.255.224 : allow |
| 64 | portmap : 192.0.2.96/255.255.255.224 : allow |
| 65 | portmap : ALL : deny |
| 66 | |
| 67 | # Provide a small amount of protection for ftpd |
| 68 | ftpd : localhost : allow |
| 69 | ftpd : .nice.guy.example.com : allow |
| 70 | ftpd : .evil.cracker.example.com : deny |
| 71 | ftpd : ALL : allow |
| 72 | |
| 73 | # You need to be clever with finger; do _not_ backfinger!! You can easily |
| 74 | # start a "finger war". |
| 75 | fingerd : ALL \ |
| 76 | : spawn (echo Finger. | \ |
| 77 | /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ |
| 78 | : deny |
| 79 | |
| 80 | # The rest of the daemons are protected. |
| 81 | ALL : ALL \ |
| 82 | : severity auth.info \ |
| 83 | : twist /bin/echo "You are not welcome to use %d from %h." |