Date: Sat, 22 Sep 2018 13:17:30 +0000 (UTC) From: Brad Davis <brd@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338887 - in head: etc lib/libwrap Message-ID: <201809221317.w8MDHUgZ002177@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brd Date: Sat Sep 22 13:17:30 2018 New Revision: 338887 URL: https://svnweb.freebsd.org/changeset/base/338887 Log: Move hosts.allow to lib/libwrap/ This leverages CONFS to handle the install. Approved by: re (blanket, pkgbase), bapt (mentor) Differential Revision: https://reviews.freebsd.org/D17240 Added: head/lib/libwrap/hosts.allow - copied unchanged from r338886, head/etc/hosts.allow Deleted: head/etc/hosts.allow Modified: head/etc/Makefile head/lib/libwrap/Makefile Modified: head/etc/Makefile ============================================================================== --- head/etc/Makefile Sat Sep 22 13:14:44 2018 (r338886) +++ head/etc/Makefile Sat Sep 22 13:17:30 2018 (r338887) @@ -14,7 +14,6 @@ SUBDIR+=sendmail BIN1= \ group \ - hosts.allow \ login.access \ rc.bsdextended \ rc.firewall \ Modified: head/lib/libwrap/Makefile ============================================================================== --- head/lib/libwrap/Makefile Sat Sep 22 13:14:44 2018 (r338886) +++ head/lib/libwrap/Makefile Sat Sep 22 13:17:30 2018 (r338887) @@ -4,6 +4,7 @@ .include <src.opts.mk> +CONFS= hosts.allow PACKAGE=lib${LIB} LIB= wrap SHLIB_MAJOR= 6 Copied: head/lib/libwrap/hosts.allow (from r338886, head/etc/hosts.allow) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lib/libwrap/hosts.allow Sat Sep 22 13:17:30 2018 (r338887, copy of r338886, head/etc/hosts.allow) @@ -0,0 +1,92 @@ +# +# hosts.allow access control file for "tcp wrapped" applications. +# $FreeBSD$ +# +# NOTE: The hosts.deny file is deprecated. +# Place both 'allow' and 'deny' rules in the hosts.allow file. +# See hosts_options(5) for the format of this file. +# hosts_access(5) no longer fully applies. +# +# _____ _ _ +# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | +# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | +# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| +# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) +# |_| +# !!! This is an example! You will need to modify it for your specific +# !!! requirements! + + +# Start by allowing everything (this prevents the rest of the file +# from working, so remove it when you need protection). +# The rules here work on a "First match wins" basis. +ALL : ALL : allow + +# Wrapping sshd(8) is not normally a good idea, but if you +# need to do it, here's how +#sshd : .evil.cracker.example.com : deny + +# Protect against simple DNS spoofing attacks by checking that the +# forward and reverse records for the remote host match. If a mismatch +# occurs, access is denied, and any positive ident response within +# 20 seconds is logged. No protection is afforded against DNS poisoning, +# IP spoofing or more complicated attacks. Hosts with no reverse DNS +# pass this rule. +ALL : PARANOID : RFC931 20 : deny + +# Allow anything from localhost. Note that an IP address (not a host +# name) *MUST* be specified for rpcbind(8). +ALL : localhost 127.0.0.1 : allow +# Comment out next line if you build libwrap without IPv6 support. +ALL : [::1] : allow +#ALL : my.machine.example.com 192.0.2.35 : allow + +# To use IPv6 addresses you must enclose them in []'s +#ALL : [fe80::%fxp0]/10 : allow +#ALL : [fe80::]/10 : deny +#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny +#ALL : [2001:db8:2:1::]/64 : allow + +# Sendmail can help protect you against spammers and relay-rapers +sendmail : localhost : allow +#sendmail : .nice.guy.example.com : allow +#sendmail : .evil.cracker.example.com : deny +sendmail : ALL : allow + +# Exim is an alternative to sendmail, available in the ports tree +exim : localhost : allow +#exim : .nice.guy.example.com : allow +#exim : .evil.cracker.example.com : deny +exim : ALL : allow + +# Rpcbind is used for all RPC services; protect your NFS! +# Rpcbind should be running with -W option to support this. +# (IP addresses rather than hostnames *MUST* be used here) +#rpcbind : 192.0.2.32/255.255.255.224 : allow +#rpcbind : 192.0.2.96/255.255.255.224 : allow +rpcbind : ALL : deny + +# NIS master server. Only local nets should have access +# (Since this is an RPC service, rpcbind needs to be considered) +ypserv : localhost : allow +#ypserv : .unsafe.my.net.example.com : deny +#ypserv : .my.net.example.com : allow +ypserv : ALL : deny + +# Provide a small amount of protection for ftpd +ftpd : localhost : allow +#ftpd : .nice.guy.example.com : allow +#ftpd : .evil.cracker.example.com : deny +ftpd : ALL : allow + +# You need to be clever with finger; do _not_ backfinger!! You can easily +# start a "finger war". +fingerd : ALL \ + : spawn (echo Finger. | \ + /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ + : deny + +# The rest of the daemons are protected. +ALL : ALL \ + : severity auth.info \ + : twist /bin/echo "You are not welcome to use %d from %h."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809221317.w8MDHUgZ002177>