[LUAU] hosts.allow/deny

bbraun at sparcy.synack.net bbraun at sparcy.synack.net
Mon Feb 1 11:01:25 PST 1999


Here's a hosts.allow that we use at the university.

Rob

##############################################################################
# Access control for tcpd/portmap :: see /usr/local/tcpd/{bin,lib,man}
##############################################################################
#
# This file is under RCS. If you edit it directly, your changes will be lost.
#
# The MASTER for this file is suod:/local/etc/hosts.allow.proto
#
# RCS: $Id: hosts.allow.proto,v 1.11 1997/12/01 20:09:39 millert Exp $
#

#-----------------------------------------------------------------------------
# Fail out any connects where A and PTR records are inconsistent
#-----------------------------------------------------------------------------
ALL : PARANOID : banners /usr/local/tcpd/lib/paranoid : DENY

#-----------------------------------------------------------------------------
# Host-specific additions.
# CAUTION: These will preempt rules in the sections that follow.
#-----------------------------------------------------------------------------
${HOST-SPECIFIC}

#-----------------------------------------------------------------------------
# Special case rulesets to deny certain hosts/nets
#-----------------------------------------------------------------------------
#ALL : somehost : banners /usr/local/tcpd/lib/denied : DENY

#-----------------------------------------------------------------------------
# General acceptance rules
#-----------------------------------------------------------------------------
sendmail : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW
in.fingerd fingerd : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW
in.ftpd ftpd : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW
klogind eklogind kshd : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW
popper : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW
imapd : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW
talkd in.talkd ntalkd in.ntalkd : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW
sshd : \
	ALL : banners /usr/local/tcpd/lib/allowed : ALLOW

#-----------------------------------------------------------------------------
# Only allow these from secure (and in some cases slip) nets
#-----------------------------------------------------------------------------
# must retain 'proxy' since that's the telnet proxy into the dept.
in.telnetd telnetd : \
	${SECURE} proxy.cs.colorado.edu : banners /usr/local/tcpd/lib/allowed \
	: ALLOW

in.tftpd tftpd : \
	${SECURE} \
	: ALLOW

in.rexecd in.rlogind in.rshd rexecd rlogind rshd remshd : \
	128.138.198.0/255.255.255.0 128.138.205.128/255.255.255.127 \
	128.138.192.128/255.255.255.192 ${SECURE} proxy.cs.colorado.edu \
	: ALLOW

#-----------------------------------------------------------------------------
# Wietsa Venema's 'portmap' (Only allowed from secure and slip nets)
#-----------------------------------------------------------------------------
portmap : \
	128.138.198.0/255.255.255.0 128.138.205.128/255.255.255.127 \
	128.138.192.128/255.255.255.192 \
	${SECURE} \
	: ALLOW

#-----------------------------------------------------------------------------
# Watch for and alert on suspicious activity
#-----------------------------------------------------------------------------
#in.tftpd tftpd : ALL : spawn (/usr/local/tcpd/bin/safe_finger -l @%h | /usr/ucb/mail -s \"TCPD-ALARM -- in.tftpd attempted from %c\" root) & : DENY

#-----------------------------------------------------------------------------
# Anything that didn't match is denied
#-----------------------------------------------------------------------------
ALL : ALL : banners /usr/local/tcpd/lib/denied : DENY



More information about the LUAU mailing list