2 # hosts.allow access control file for "tcp wrapped" applications.
5 # NOTE: The hosts.deny file is deprecated.
6 # Place both 'allow' and 'deny' rules in the hosts.allow file.
7 # See hosts_options(5) for the format of this file.
8 # hosts_access(5) no longer fully applies.
11 # | ____| __ __ __ _ _ __ ___ _ __ | | ___ | |
12 # | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | |
13 # | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_|
14 # |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_)
16 # !!! This is an example! You will need to modify it for your specific
20 # Start by allowing everything (this prevents the rest of the file
21 # from working, so remove it when you need protection).
22 # The rules here work on a "First match wins" basis.
25 # Wrapping sshd(8) is not normally a good idea, but if you
26 # need to do it, here's how
27 #sshd : .evil.cracker.example.com : deny
29 # Prevent those with no reverse DNS from connecting.
30 ALL : PARANOID : RFC931 20 : deny
32 # Allow anything from localhost. Note that an IP address (not a host
33 # name) *MUST* be specified for portmap(8).
34 ALL : localhost 127.0.0.1 : allow
35 ALL : my.machine.example.com 192.0.2.35 : allow
37 # To use IPv6 addresses you must enclose them in []'s
38 ALL : [fe80::%fxp0]/10 : allow
39 ALL : [fe80::]/10 : deny
40 ALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny
41 ALL : [3ffe:fffe:2:1::]/64 : allow
43 # Sendmail can help protect you against spammers and relay-rapers
44 sendmail : localhost : allow
45 sendmail : .nice.guy.example.com : allow
46 sendmail : .evil.cracker.example.com : deny
47 sendmail : ALL : allow
49 # Exim is an alternative to sendmail, available in the ports tree
50 exim : localhost : allow
51 exim : .nice.guy.example.com : allow
52 exim : .evil.cracker.example.com : deny
55 # Portmapper is used for all RPC services; protect your NFS!
56 # (IP addresses rather than hostnames *MUST* be used here)
57 portmap : 192.0.2.32/255.255.255.224 : allow
58 portmap : 192.0.2.96/255.255.255.224 : allow
61 # Provide a small amount of protection for ftpd
62 ftpd : localhost : allow
63 ftpd : .nice.guy.example.com : allow
64 ftpd : .evil.cracker.example.com : deny
67 # You need to be clever with finger; do _not_ backfinger!! You can easily
68 # start a "finger war".
70 : spawn (echo Finger. | \
71 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
74 # The rest of the daemons are protected.
76 : severity auth.info \
77 : twist /bin/echo "You are not welcome to use %d from %h."