diff options
author | markm <markm@FreeBSD.org> | 1999-03-28 10:47:26 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 1999-03-28 10:47:26 +0000 |
commit | 6cbcd29274c7498622010b1c966062387aad552f (patch) | |
tree | 27a000210ef33c976a68b0c5bd13f0fecbbacd5a /etc | |
parent | 6ba2a35d6e7cece362b7cf6760c0fdeb473937de (diff) | |
download | FreeBSD-src-6cbcd29274c7498622010b1c966062387aad552f.zip FreeBSD-src-6cbcd29274c7498622010b1c966062387aad552f.tar.gz |
Add an example hosts.allow for the (base system) tcp_wrappers.
Anyone with good ideas for this is welcome to contribute.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Makefile | 8 | ||||
-rw-r--r-- | etc/hosts.allow | 48 |
2 files changed, 52 insertions, 4 deletions
diff --git a/etc/Makefile b/etc/Makefile index 59f5406..1a6fcb0 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,12 +1,12 @@ # from: @(#)Makefile 5.11 (Berkeley) 5/21/91 -# $Id: Makefile,v 1.193 1999/02/11 16:30:54 brian Exp $ +# $Id: Makefile,v 1.194 1999/02/12 20:51:38 dillon Exp $ SUBDIR= sendmail BIN1= aliases amd.map crontab csh.cshrc csh.login csh.logout dm.conf \ - fbtab ftpusers gettytab group hosts host.conf hosts.equiv hosts.lpd \ - inetd.conf auth.conf login.conf login.access motd modems networks \ - newsyslog.conf pam.conf phones pccard.conf.sample \ + fbtab ftpusers gettytab group hosts hosts.allow host.conf hosts.equiv \ + hosts.lpd inetd.conf auth.conf login.conf login.access motd modems \ + networks newsyslog.conf pam.conf phones pccard.conf.sample \ printcap profile protocols \ rc rc.atm rc.devfs rc.firewall rc.isdn rc.network rc.pccard \ rc.serial rc.shutdown rc.diskless1 rc.diskless2 \ diff --git a/etc/hosts.allow b/etc/hosts.allow new file mode 100644 index 0000000..b421ab1 --- /dev/null +++ b/etc/hosts.allow @@ -0,0 +1,48 @@ +# +# hosts.allow access control file for "tcp wrapped" apps. +# $Id$ +# +# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' +# and 'deny' rules in the hosts.allow file. +# see hosts_options(5) for the format of this file. +# hosts_access(5) no longer fully applies. + +# This is an example! You will need to modify it for your specific +# requirements! + +# Start by allowing everything (this prevents the rest of the file +# from working, so remove it when you need protection). +ALL : ALL : allow + +# Wrapping sshd(8) is not normally a good idea, but if you +# need to do it, here's how +#sshd : .evil.hacker.org : deny + +# Prevent those with no reverse DNS from connecting. +ALL : PARANOID : RFC931 20 : deny + +# Allow anything from localhost +ALL : localhost : allow + +# Sendmail can help protect you against spammers and relay-rapers +sendmail : localhost : allow +sendmail : .mydomain.com : allow +sendmail : .evil.spamnest.org : deny +sendmail : ALL : allow + +# Provide a small amount of protection for ftpd +ftpd : .warez.d00d.org : deny +ftpd : ALL : allow + +# You need to be clever with finger; do _not_ backfinger!! You can easily +# start a "finger war". +fingerd : ALL \ + : spawn (echo Finger. | \ + /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ + : deny + +# The rest of the daemons are protected. Backfinger and log by email. +ALL : ALL \ + : severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \ + /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ + : twist /bin/echo "You are not welcome to use %d from %h." |