2 # hosts.allow access control file for "tcp wrapped" apps.
5 # NOTE: The hosts.deny file is not longer used. Instead, put both 'allow'
6 # and 'deny' rules in the hosts.allow file.
7 # see hosts_options(5) for the format of this file.
8 # hosts_access(5) no longer fully applies.
10 # This is an example! You will need to modify it for your specific
13 # Start by allowing everything (this prevents the rest of the file
14 # from working, so remove it when you need protection).
15 # The rules here work on a "First match wins" basis.
18 # Wrapping sshd(8) is not normally a good idea, but if you
19 # need to do it, here's how
20 #sshd : .evil.cracker.example.com : deny
22 # Prevent those with no reverse DNS from connecting.
23 ALL : PARANOID : RFC931 20 : deny
25 # Allow anything from localhost
26 ALL : localhost : allow
27 ALL : my.machine.example.com : allow
29 # Sendmail can help protect you against spammers and relay-rapers
30 sendmail : localhost : allow
31 sendmail : .nice.guy.example.com : allow
32 sendmail : .evil.cracker.example.com : deny
33 sendmail : ALL : allow
35 # Exim is an alternative to sendmail, available in the ports tree
36 exim : localhost : allow
37 exim : .nice.guy.example.com : allow
38 exim : .evil.cracker.example.com : deny
41 # Portmapper is used for all RPC services; protect your NFS!
42 portmap : localhost : allow
43 portmap : .nice.guy.example.com : allow
44 portmap : .evil.cracker.example.com : deny
47 # Provide a small amount of protection for ftpd
48 ftpd : localhost : allow
49 ftpd : .nice.guy.example.com : allow
50 ftpd : .evil.cracker.example.com : deny
53 # You need to be clever with finger; do _not_ backfinger!! You can easily
54 # start a "finger war".
56 : spawn (echo Finger. | \
57 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
60 # The rest of the daemons are protected. Backfinger and log by email.
62 : severity auth.info : spawn (/usr/bin/finger -l @%h | \
63 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \
64 : twist /bin/echo "You are not welcome to use %d from %h."