Index: head/etc/hosts.allow =================================================================== --- head/etc/hosts.allow (revision 338886) +++ head/etc/hosts.allow (nonexistent) @@ -1,92 +0,0 @@ -# -# hosts.allow access control file for "tcp wrapped" applications. -# $FreeBSD$ -# -# NOTE: The hosts.deny file is deprecated. -# Place both 'allow' and 'deny' rules in the hosts.allow file. -# See hosts_options(5) for the format of this file. -# hosts_access(5) no longer fully applies. -# -# _____ _ _ -# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | -# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | -# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| -# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) -# |_| -# !!! This is an example! You will need to modify it for your specific -# !!! requirements! - - -# Start by allowing everything (this prevents the rest of the file -# from working, so remove it when you need protection). -# The rules here work on a "First match wins" basis. -ALL : ALL : allow - -# Wrapping sshd(8) is not normally a good idea, but if you -# need to do it, here's how -#sshd : .evil.cracker.example.com : deny - -# Protect against simple DNS spoofing attacks by checking that the -# forward and reverse records for the remote host match. If a mismatch -# occurs, access is denied, and any positive ident response within -# 20 seconds is logged. No protection is afforded against DNS poisoning, -# IP spoofing or more complicated attacks. Hosts with no reverse DNS -# pass this rule. -ALL : PARANOID : RFC931 20 : deny - -# Allow anything from localhost. Note that an IP address (not a host -# name) *MUST* be specified for rpcbind(8). -ALL : localhost 127.0.0.1 : allow -# Comment out next line if you build libwrap without IPv6 support. -ALL : [::1] : allow -#ALL : my.machine.example.com 192.0.2.35 : allow - -# To use IPv6 addresses you must enclose them in []'s -#ALL : [fe80::%fxp0]/10 : allow -#ALL : [fe80::]/10 : deny -#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny -#ALL : [2001:db8:2:1::]/64 : allow - -# Sendmail can help protect you against spammers and relay-rapers -sendmail : localhost : allow -#sendmail : .nice.guy.example.com : allow -#sendmail : .evil.cracker.example.com : deny -sendmail : ALL : allow - -# Exim is an alternative to sendmail, available in the ports tree -exim : localhost : allow -#exim : .nice.guy.example.com : allow -#exim : .evil.cracker.example.com : deny -exim : ALL : allow - -# Rpcbind is used for all RPC services; protect your NFS! -# Rpcbind should be running with -W option to support this. -# (IP addresses rather than hostnames *MUST* be used here) -#rpcbind : 192.0.2.32/255.255.255.224 : allow -#rpcbind : 192.0.2.96/255.255.255.224 : allow -rpcbind : ALL : deny - -# NIS master server. Only local nets should have access -# (Since this is an RPC service, rpcbind needs to be considered) -ypserv : localhost : allow -#ypserv : .unsafe.my.net.example.com : deny -#ypserv : .my.net.example.com : allow -ypserv : ALL : deny - -# Provide a small amount of protection for ftpd -ftpd : localhost : allow -#ftpd : .nice.guy.example.com : allow -#ftpd : .evil.cracker.example.com : deny -ftpd : ALL : allow - -# You need to be clever with finger; do _not_ backfinger!! You can easily -# start a "finger war". -fingerd : ALL \ - : spawn (echo Finger. | \ - /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ - : deny - -# The rest of the daemons are protected. -ALL : ALL \ - : severity auth.info \ - : twist /bin/echo "You are not welcome to use %d from %h." Property changes on: head/etc/hosts.allow ___________________________________________________________________ Deleted: svn:keywords ## -1 +0,0 ## -FreeBSD=%H \ No newline at end of property Index: head/etc/Makefile =================================================================== --- head/etc/Makefile (revision 338886) +++ head/etc/Makefile (revision 338887) @@ -1,217 +1,216 @@ # from: @(#)Makefile 5.11 (Berkeley) 5/21/91 # $FreeBSD$ .include FILESGROUPS= FILES # No need as it is empty and just causes rebuilds since this file does so much. UPDATE_DEPENDFILE= no .if ${MK_SENDMAIL} != "no" SUBDIR+=sendmail .endif BIN1= \ group \ - hosts.allow \ login.access \ rc.bsdextended \ rc.firewall \ termcap.small # NB: keep these sorted by MK_* knobs .if ${MK_SENDMAIL} != "no" BIN1+= rc.sendmail .endif .if ${MK_SENDMAIL} == "no" ETCMAIL=mailer.conf aliases .else ETCMAIL=Makefile README mailer.conf access.sample virtusertable.sample \ mailertable.sample aliases .endif # Special top level files for FreeBSD FREEBSD=COPYRIGHT # Sanitize DESTDIR DESTDIR:= ${DESTDIR:C://*:/:g} afterinstall: .if ${MK_MAN} != "no" ${_+_}cd ${SRCTOP}/share/man; ${MAKE} makedb .endif distribute: # Avoid installing tests here; "make distribution" will do this and # correctly place them in the right location. ${_+_}cd ${.CURDIR} ; ${MAKE} MK_TESTS=no install \ DESTDIR=${DISTDIR}/${DISTRIBUTION} ${_+_}cd ${.CURDIR} ; ${MAKE} distribution DESTDIR=${DISTDIR}/${DISTRIBUTION} .include .if defined(NO_ROOT) METALOG.add?= cat -l >> ${METALOG} .endif distribution: .if !defined(DESTDIR) @echo "set DESTDIR before running \"make ${.TARGET}\"" @false .endif cd ${.CURDIR}; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ ${BIN1} ${DESTDIR}/etc; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ master.passwd ${DESTDIR}/etc; .if ${MK_TCSH} == "no" sed -i "" -e 's;/bin/csh;/bin/sh;' ${DESTDIR}/etc/master.passwd .endif pwd_mkdb -i -p -d ${DESTDIR}/etc ${DESTDIR}/etc/master.passwd .if defined(NO_ROOT) ( \ echo "./etc/passwd type=file mode=0644 uname=root gname=wheel"; \ echo "./etc/pwd.db type=file mode=0644 uname=root gname=wheel"; \ echo "./etc/spwd.db type=file mode=0600 uname=root gname=wheel"; \ ) | ${METALOG.add} .endif ${_+_}cd ${.CURDIR}/gss; ${MAKE} install ${_+_}cd ${.CURDIR}/mtree; ${MAKE} install ${_+_}cd ${SRCTOP}/share/termcap; ${MAKE} etc-termcap ${_+_}cd ${SRCTOP}/usr.sbin/rmt; ${MAKE} etc-rmt .if ${MK_UNBOUND} != "no" if [ ! -e ${DESTDIR}/etc/unbound ]; then \ ${INSTALL_SYMLINK} ../var/unbound ${DESTDIR}/etc/unbound; \ fi .endif .if ${MK_SENDMAIL} != "no" ${_+_}cd ${.CURDIR}/sendmail; ${MAKE} distribution .endif .if ${MK_KERBEROS} != "no" cd ${.CURDIR}/root; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ dot.k5login ${DESTDIR}/root/.k5login; .endif .if ${MK_MAIL} != "no" cd ${.CURDIR}/mail; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ ${ETCMAIL} ${DESTDIR}/etc/mail if [ -d ${DESTDIR}/etc/mail -a -f ${DESTDIR}/etc/mail/aliases -a \ ! -f ${DESTDIR}/etc/aliases ]; then \ ${INSTALL_SYMLINK} mail/aliases ${DESTDIR}/etc/aliases; \ fi .endif .if ${MK_LOCATE} != "no" ${INSTALL} -o nobody -g ${BINGRP} -m 644 /dev/null \ ${DESTDIR}/var/db/locate.database .endif cd ${.CURDIR}/..; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \ ${FREEBSD} ${DESTDIR}/ .if ${MK_BOOT} != "no" .if exists(${SRCTOP}/sys/${MACHINE}/conf/GENERIC.hints) ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \ ${SRCTOP}/sys/${MACHINE}/conf/GENERIC.hints \ ${DESTDIR}/boot/device.hints .endif .endif MTREE_CMD?= mtree MTREES= mtree/BSD.root.dist / \ mtree/BSD.var.dist /var \ mtree/BSD.usr.dist /usr \ mtree/BSD.include.dist /usr/include \ mtree/BSD.debug.dist /usr/lib .if ${MK_LIB32} != "no" MTREES+= mtree/BSD.lib32.dist /usr MTREES+= mtree/BSD.lib32.dist /usr/lib/debug/usr .endif .if ${MK_LIBSOFT} != "no" MTREES+= mtree/BSD.libsoft.dist /usr MTREES+= mtree/BSD.libsoft.dist /usr/lib/debug/usr .endif .if ${MK_TESTS} != "no" MTREES+= mtree/BSD.tests.dist ${TESTSBASE} MTREES+= mtree/BSD.tests.dist /usr/lib/debug/${TESTSBASE} .endif .if ${MK_SENDMAIL} != "no" MTREES+= mtree/BSD.sendmail.dist / .endif .for mtree in ${LOCAL_MTREE} MTREES+= ../${mtree} / .endfor # Clean up some directories that where mistakenly created as files that # should not have been as part of the nvi update in r281994. # This should be removed after 11.0-RELEASE. DISTRIB_CLEANUP_SHARE_FILES= ${SHAREDIR}/doc/usd/10.exref ${SHAREDIR}/doc/usd/11.edit DISTRIB_CLEANUP_SHARE_FILES+= ${SHAREDIR}/doc/usd/12.vi ${SHAREDIR}/doc/usd/13.viref distrib-cleanup: .PHONY for file in ${DISTRIB_CLEANUP_SHARE_FILES}; do \ if [ -f ${DESTDIR}/$${file} ]; then \ rm -f ${DESTDIR}/$${file}; \ fi; \ done distrib-dirs: ${MTREES:N/*} distrib-cleanup .PHONY @set ${MTREES}; \ while test $$# -ge 2; do \ m=${.CURDIR}/$$1; \ shift; \ d=${DESTDIR}$$1; \ shift; \ test -d $$d || mkdir -p $$d; \ ${ECHO} ${MTREE_CMD} -deU ${MTREE_FSCHG} \ ${MTREE_FOLLOWS_SYMLINKS} -f $$m -p $$d; \ ${MTREE_FILTER} $$m | \ ${MTREE_CMD} -deU ${MTREE_FSCHG} ${MTREE_FOLLOWS_SYMLINKS} \ -p $$d; \ done; true .if defined(NO_ROOT) @set ${MTREES}; \ while test $$# -ge 2; do \ m=${.CURDIR}/$$1; \ shift; \ d=$$1; \ test "$$d" == "/" && d=""; \ d=${DISTBASE}$$d; \ shift; \ test -d ${DESTDIR}/$$d || mkdir -p ${DESTDIR}/$$d; \ ${ECHO} "${MTREE_CMD:N-W} -C -f $$m -K all | " \ "sed s#^\.#.$$d# | ${METALOG.add}" ; \ ${MTREE_FILTER} $$m | \ ${MTREE_CMD:N-W} -C -K all | sed s#^\.#.$$d# | \ ${METALOG.add} ; \ done; true .endif .if ${MK_NLS} != "no" set - `grep "^[a-zA-Z]" ${.CURDIR}/nls.alias`; \ while [ $$# -gt 0 ] ; do \ ${INSTALL_SYMLINK} "$$2" "${DESTDIR}${SHAREDIR}/nls/$$1"; \ shift; shift; \ done .endif etc-examples: ${META_DEPS} cd ${.CURDIR}; ${INSTALL} ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 \ ${BIN1} ${BIN2} \ ${DESTDIR}${SHAREDIR}/examples/etc .include .if ${MK_INSTALL_AS_USER} == "yes" && ${_uid} != 0 MTREE_FILTER= sed -e 's,\([gu]\)name=,\1id=,g' \ -e 's,\(uid=\)[^ ]* ,\1${_uid} ,' \ -e 's,\(gid=\)[^ ]* ,\1${_gid} ,' \ -e 's,\(uid=\)[^ ]*$$,\1${_uid},' \ -e 's,\(gid=\)[^ ]*$$,\1${_gid},' .else MTREE_FILTER= cat .if !defined(NO_FSCHG) MTREE_FSCHG= -i .endif .endif Index: head/lib/libwrap/Makefile =================================================================== --- head/lib/libwrap/Makefile (revision 338886) +++ head/lib/libwrap/Makefile (revision 338887) @@ -1,39 +1,40 @@ # # $FreeBSD$ # .include +CONFS= hosts.allow PACKAGE=lib${LIB} LIB= wrap SHLIB_MAJOR= 6 INCS= tcpd.h MAN= hosts_access.3 MAN+= hosts_access.5 hosts_options.5 MLINKS= hosts_access.3 hosts_ctl.3 \ hosts_access.3 request_init.3 \ hosts_access.3 request_set.3 \ hosts_options.5 hosts.allow.5 .PATH: ${SRCTOP}/contrib/tcp_wrappers CFLAGS+=-DFACILITY=LOG_AUTH -DHOSTS_ACCESS -DNETGROUP -DDAEMON_UMASK=022 \ -DREAL_DAEMON_DIR=\"${LIBEXECDIR}\" -DPROCESS_OPTIONS \ -DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 \ -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" \ -DSYS_ERRLIST_DEFINED -DALWAYS_HOSTNAME -DUSE_STRSEP -DPROCESS_OPTIONS .if ${MK_NIS} == "no" CFLAGS+= -DUSE_GETDOMAIN .endif .if ${MK_INET6_SUPPORT} != "no" CFLAGS+=-DINET6 .endif WARNS?= 0 SRCS= clean_exit.c diag.c eval.c fix_options.c fromhost.c \ hosts_access.c hosts_ctl.c misc.c myvsyslog.c options.c \ percent_m.c percent_x.c refuse.c rfc931.c shell_cmd.c \ socket.c tli.c update.c workarounds.c libvars.c .include Index: head/lib/libwrap/hosts.allow =================================================================== --- head/lib/libwrap/hosts.allow (nonexistent) +++ head/lib/libwrap/hosts.allow (revision 338887) @@ -0,0 +1,92 @@ +# +# hosts.allow access control file for "tcp wrapped" applications. +# $FreeBSD$ +# +# NOTE: The hosts.deny file is deprecated. +# Place both 'allow' and 'deny' rules in the hosts.allow file. +# See hosts_options(5) for the format of this file. +# hosts_access(5) no longer fully applies. +# +# _____ _ _ +# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | +# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | +# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| +# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) +# |_| +# !!! This is an example! You will need to modify it for your specific +# !!! requirements! + + +# Start by allowing everything (this prevents the rest of the file +# from working, so remove it when you need protection). +# The rules here work on a "First match wins" basis. +ALL : ALL : allow + +# Wrapping sshd(8) is not normally a good idea, but if you +# need to do it, here's how +#sshd : .evil.cracker.example.com : deny + +# Protect against simple DNS spoofing attacks by checking that the +# forward and reverse records for the remote host match. If a mismatch +# occurs, access is denied, and any positive ident response within +# 20 seconds is logged. No protection is afforded against DNS poisoning, +# IP spoofing or more complicated attacks. Hosts with no reverse DNS +# pass this rule. +ALL : PARANOID : RFC931 20 : deny + +# Allow anything from localhost. Note that an IP address (not a host +# name) *MUST* be specified for rpcbind(8). +ALL : localhost 127.0.0.1 : allow +# Comment out next line if you build libwrap without IPv6 support. +ALL : [::1] : allow +#ALL : my.machine.example.com 192.0.2.35 : allow + +# To use IPv6 addresses you must enclose them in []'s +#ALL : [fe80::%fxp0]/10 : allow +#ALL : [fe80::]/10 : deny +#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny +#ALL : [2001:db8:2:1::]/64 : allow + +# Sendmail can help protect you against spammers and relay-rapers +sendmail : localhost : allow +#sendmail : .nice.guy.example.com : allow +#sendmail : .evil.cracker.example.com : deny +sendmail : ALL : allow + +# Exim is an alternative to sendmail, available in the ports tree +exim : localhost : allow +#exim : .nice.guy.example.com : allow +#exim : .evil.cracker.example.com : deny +exim : ALL : allow + +# Rpcbind is used for all RPC services; protect your NFS! +# Rpcbind should be running with -W option to support this. +# (IP addresses rather than hostnames *MUST* be used here) +#rpcbind : 192.0.2.32/255.255.255.224 : allow +#rpcbind : 192.0.2.96/255.255.255.224 : allow +rpcbind : ALL : deny + +# NIS master server. Only local nets should have access +# (Since this is an RPC service, rpcbind needs to be considered) +ypserv : localhost : allow +#ypserv : .unsafe.my.net.example.com : deny +#ypserv : .my.net.example.com : allow +ypserv : ALL : deny + +# Provide a small amount of protection for ftpd +ftpd : localhost : allow +#ftpd : .nice.guy.example.com : allow +#ftpd : .evil.cracker.example.com : deny +ftpd : ALL : allow + +# You need to be clever with finger; do _not_ backfinger!! You can easily +# start a "finger war". +fingerd : ALL \ + : spawn (echo Finger. | \ + /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ + : deny + +# The rest of the daemons are protected. +ALL : ALL \ + : severity auth.info \ + : twist /bin/echo "You are not welcome to use %d from %h." Property changes on: head/lib/libwrap/hosts.allow ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property