netcfg/hosts.allow

# /etc/hosts.allow
# Make sure package tcpd is installed on your system for this to work.
# See 'man tcpd' and 'man 5 hosts_access' for a detailed description
# of /etc/hosts.allow and /etc/hosts.deny.
#
# short overview about daemons and servers that are built with
# tcp_wrappers support:
# 
# package name  |       daemon path     |       token
# ----------------------------------------------------------------------------
# ssh, openssh  |  /usr/sbin/sshd       |  sshd, sshd-fwd-x11, sshd-fwd-<port>
# quota         | /usr/sbin/rpc.rquotad |  rquotad
# tftpd         | /usr/sbin/in.tftpd    |  in.tftpd
# portmap       |  /sbin/portmap        |  portmap
#                       The portmapper does not verify against hostnames
#                       to prevent hangs. It only checks non-local addresses.
# 
# (kernel nfs server)
# nfs-utils     |  /usr/sbin/rpc.mountd |  mountd
# nfs-utils     |  /sbin/rpc.statd      |  statd
#
# (unfsd, userspace nfs server)
# nfs-server    |  /usr/sbin/rpc.mountd |  rpc.mountd
# nfs-server    |  /usr/sbin/rpc.ugidd  |  rpc.ugidd
#
# (printing services)
# lprng         |  /usr/sbin/lpd        |  lpd
# cups          |  /usr/sbin/cupsd      |  cupsd
#                       The cupsd server daemon reports to the cups
#                       error logs, not to the syslog(3) facility.
#
# (Uniterrupted Power Supply Software)
# apcupsd       |  /sbin/apcupsd        |  apcupsd
# apcupsd       |  /sbin/apcnisd        |  apcnisd
# 
# All of the other network servers such as samba, apache or X, have their own
# access control scheme that should be used instead.
#
# In addition to the services above, the services that are started on request 
# by inetd or xinetd use tcpd to "wrap" the network connection. tcpd uses
# the last component of the server pathname as a token to match a service in
# /etc/hosts.{allow,deny}. See the file /etc/inetd.conf for the token names.
# The following examples work when uncommented:
#
#
# Example 1: Fire up a mail to the admin if a connection to the printer daemon
# has been made from host foo.bar.com, but simply deny all others:
# lpd : foo.bar.com : spawn /bin/echo "%h printer access" | \
#                               mail -s "tcp_wrappers on %H" root
# 
#
# Example 2: grant access from local net, reject with message from elsewhere.
# in.telnetd : ALL EXCEPT LOCAL : ALLOW
# in.telnetd : ALL : \
#    twist /bin/echo -e "\n\raccess from %h declined.\n\rGo away.";sleep 2
#
#
# Example 3: run a different instance of rsyncd if the connection comes 
#            from network 172.20.0.0/24, but regular for others:
# rsyncd : 172.20.0.0/255.255.255.0 : twist /usr/local/sbin/my_rsyncd-script
# rsyncd : ALL : ALLOW
#
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/netcfg?expand=0&rev=1 2007-01-16 00:26:46 +01:00			`# /etc/hosts.allow`
- Tell users to really install tcpd if they expects hosts.* to work bsc#1099755 OBS-URL: https://build.opensuse.org/package/show/Base:System/netcfg?expand=0&rev=56 2018-07-02 11:40:57 +02:00			`# Make sure package tcpd is installed on your system for this to work.`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/netcfg?expand=0&rev=1 2007-01-16 00:26:46 +01:00			`# See 'man tcpd' and 'man 5 hosts_access' for a detailed description`
			`# of /etc/hosts.allow and /etc/hosts.deny.`
			`#`
			`# short overview about daemons and servers that are built with`
			`# tcp_wrappers support:`
			`#`
			`# package name \| daemon path \| token`
			`# ----------------------------------------------------------------------------`
			`# ssh, openssh \| /usr/sbin/sshd \| sshd, sshd-fwd-x11, sshd-fwd-<port>`
			`# quota \| /usr/sbin/rpc.rquotad \| rquotad`
			`# tftpd \| /usr/sbin/in.tftpd \| in.tftpd`
			`# portmap \| /sbin/portmap \| portmap`
			`# The portmapper does not verify against hostnames`
			`# to prevent hangs. It only checks non-local addresses.`
			`#`
			`# (kernel nfs server)`
			`# nfs-utils \| /usr/sbin/rpc.mountd \| mountd`
			`# nfs-utils \| /sbin/rpc.statd \| statd`
			`#`
			`# (unfsd, userspace nfs server)`
			`# nfs-server \| /usr/sbin/rpc.mountd \| rpc.mountd`
			`# nfs-server \| /usr/sbin/rpc.ugidd \| rpc.ugidd`
			`#`
			`# (printing services)`
			`# lprng \| /usr/sbin/lpd \| lpd`
			`# cups \| /usr/sbin/cupsd \| cupsd`
			`# The cupsd server daemon reports to the cups`
			`# error logs, not to the syslog(3) facility.`
			`#`
			`# (Uniterrupted Power Supply Software)`
			`# apcupsd \| /sbin/apcupsd \| apcupsd`
			`# apcupsd \| /sbin/apcnisd \| apcnisd`
			`#`
			`# All of the other network servers such as samba, apache or X, have their own`
			`# access control scheme that should be used instead.`
			`#`
			`# In addition to the services above, the services that are started on request`
			`# by inetd or xinetd use tcpd to "wrap" the network connection. tcpd uses`
			`# the last component of the server pathname as a token to match a service in`
			`# /etc/hosts.{allow,deny}. See the file /etc/inetd.conf for the token names.`
			`# The following examples work when uncommented:`
			`#`
			`#`
			`# Example 1: Fire up a mail to the admin if a connection to the printer daemon`
			`# has been made from host foo.bar.com, but simply deny all others:`
			`# lpd : foo.bar.com : spawn /bin/echo "%h printer access" \| \`
			`# mail -s "tcp_wrappers on %H" root`
			`#`
			`#`
			`# Example 2: grant access from local net, reject with message from elsewhere.`
			`# in.telnetd : ALL EXCEPT LOCAL : ALLOW`
			`# in.telnetd : ALL : \`
			`# twist /bin/echo -e "\n\raccess from %h declined.\n\rGo away.";sleep 2`
			`#`
			`#`
			`# Example 3: run a different instance of rsyncd if the connection comes`
			`# from network 172.20.0.0/24, but regular for others:`
			`# rsyncd : 172.20.0.0/255.255.255.0 : twist /usr/local/sbin/my_rsyncd-script`
			`# rsyncd : ALL : ALLOW`
			`#`