Return to hosts.allow CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default

ELWIX 1.7

    1: #
    2: # hosts.allow access control file for "tcp wrapped" applications.
    3: # $FreeBSD: src/etc/hosts.allow,v 1.24 2012/11/17 01:49:01 svnexp Exp $
    4: #
    5: # NOTE: The hosts.deny file is deprecated.
    6: #       Place both 'allow' and 'deny' rules in the hosts.allow file.
    7: #	See hosts_options(5) for the format of this file.
    8: #	hosts_access(5) no longer fully applies.
    9: 
   10: #	 _____                                      _          _
   11: #	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
   12: #	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
   13: #	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
   14: #	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
   15: #					   |_|
   16: # !!! This is an example! You will need to modify it for your specific
   17: # !!! requirements!
   18: 
   19: 
   20: # Start by allowing everything (this prevents the rest of the file
   21: # from working, so remove it when you need protection).
   22: # The rules here work on a "First match wins" basis.
   23: ALL : ALL : allow
   24: 
   25: # Wrapping sshd(8) is not normally a good idea, but if you
   26: # need to do it, here's how
   27: #sshd : .evil.cracker.example.com : deny
   28: 
   29: # Protect against simple DNS spoofing attacks by checking that the
   30: # forward and reverse records for the remote host match. If a mismatch
   31: # occurs, access is denied, and any positive ident response within
   32: # 20 seconds is logged. No protection is afforded against DNS poisoning,
   33: # IP spoofing or more complicated attacks. Hosts with no reverse DNS
   34: # pass this rule.
   35: ALL : PARANOID : RFC931 20 : deny
   36: 
   37: # Allow anything from localhost.  Note that an IP address (not a host
   38: # name) *MUST* be specified for rpcbind(8).
   39: ALL : localhost 127.0.0.1 : allow
   40: # Comment out next line if you build libwrap without IPv6 support.
   41: ALL : [::1] : allow
   42: #ALL : my.machine.example.com 192.0.2.35 : allow
   43: 
   44: # To use IPv6 addresses you must enclose them in []'s
   45: #ALL : [fe80::%fxp0]/10 : allow
   46: #ALL : [fe80::]/10 : deny
   47: #ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
   48: #ALL : [2001:db8:2:1::]/64 : allow
   49: 
   50: # Sendmail can help protect you against spammers and relay-rapers
   51: sendmail : localhost : allow
   52: #sendmail : .nice.guy.example.com : allow
   53: #sendmail : .evil.cracker.example.com : deny
   54: sendmail : ALL : allow
   55: 
   56: # Exim is an alternative to sendmail, available in the ports tree
   57: exim : localhost : allow
   58: #exim : .nice.guy.example.com : allow
   59: #exim : .evil.cracker.example.com : deny
   60: exim : ALL : allow
   61: 
   62: # Rpcbind is used for all RPC services; protect your NFS!
   63: # (IP addresses rather than hostnames *MUST* be used here)
   64: #rpcbind : 192.0.2.32/255.255.255.224 : allow
   65: #rpcbind : 192.0.2.96/255.255.255.224 : allow
   66: rpcbind : ALL : deny
   67: 
   68: # NIS master server. Only local nets should have access
   69: # (Since this is an RPC service, rpcbind needs to be considered)
   70: ypserv : localhost : allow
   71: #ypserv : .unsafe.my.net.example.com : deny
   72: #ypserv : .my.net.example.com : allow
   73: ypserv : ALL : deny
   74: 
   75: # Provide a small amount of protection for ftpd
   76: ftpd : localhost : allow
   77: #ftpd : .nice.guy.example.com : allow
   78: #ftpd : .evil.cracker.example.com : deny
   79: ftpd : ALL : allow
   80: 
   81: # You need to be clever with finger; do _not_ backfinger!! You can easily
   82: # start a "finger war".
   83: fingerd : ALL \
   84: 	: spawn (echo Finger. | \
   85: 	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
   86: 	: deny
   87: 
   88: # The rest of the daemons are protected.
   89: ALL : ALL \
   90: 	: severity auth.info \
   91: 	: twist /bin/echo "You are not welcome to use %d from %h."