Call us Toll-Free:
Email us


How to: Block access to specific ports on a Linux or FreeBSD machine

Mike Peters, 03-22-2007
If you have a BSD/Linux machine with POP3, IMAP4, Memcached other services, you would want to limit access to only a few servers in your network.

One way of limiting access to those services is to place the server behind a firewall, but that may not be a valid or efficient solution. Thankfully, FreeBSD, OpenBSD, NetBSD and Mac OS X have a host access control facility configured via /etc/hosts.allow file.

Here's how:

The syntax of /etc/hosts.allow is actually quite simple:

service : host/network : option [: option] ...


* Service is the name of the dæmon or service program that rule will be written for. Examples include popa3d, imapd, and sshd. You can also use the ALL wild card to cover all services and dæmons.

* Host/network is the host or network that the rule will apply to. You can use the any of the following notations to best suit your needs.

o IP Address: or
o IP Class A/B/C Subnet: 10.4. or 172.16.7.
o IP Network with Subnet Mask: or
o IPv6 Addresses: [2f3f::]/10 or [4c20:fe37:1:1::]/64
o Fully Qualified Domain Name: or
o Domain Name: or
o Relative Hostname: foo or bad
o Wild Cards: Wild card options that can be used are:

+ ALL: All clients regardless of IP address or domain name.

+ PARANOID: Clients that have hostnames that don't match its ident/domain lookup names. This does not apply to machines that do not have any reverse domain lookup names.

+ LOCAL: A client that comes from the same machine or domain as the host.

+ UNKNOWN: A client that cannot be resolved to anything known.

+ KNOWN: A client whose name and addresses can be resolved.

* option is a command or an option telling it how to treat the connection request. In majority of the cases, you will see or use allow or deny for the command. spawn or twist commands can also be used to send a customized error to the requester or send an alert to the administrator. Some of the most commonly used options will be covered a bit later in this article.


The option field for each of the rules provides the basic allow and deny directives, plus several other options that allow you to customize how it logs the connection attempt (via syslog or e-mail), run a system command and other options that control the connection. Below are the most common options that you may use in /etc/hosts.allow and how they affect the connection.

* allow: As the name implies, it simply lets the connection through; this option must be at the end of a rule.

* deny: Denies the connection without providing the requester any chance to try again. All denied connections are logged to syslog with the service and host that the deny rule matched.

* spawn (command(s)): Generates a new process that will run the command(s) given, but the spawn commands themselves will not allow or deny the connection, so you must have either " : allow" or " : deny" at the end of the rule in order to make the rule truly effective.

11211_service_name : ip_to_allow : allow
11211_service_name : all : deny
Enjoyed this post?

Subscribe Now to receive new posts via Email as soon as they come out.

Post your comments

Note: No link spamming! If your message contains link/s, it will NOT be published on the site before manually approved by one of our moderators.

About Us  |  Contact us  |  Privacy Policy  |  Terms & Conditions