Got this from my SWAT help file for host allow:
hosts allow (S)
A synonym for this parameter is allow hosts.
This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.
If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.
You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like allow hosts = 150.203.5. . The full syntax of the list is described in the man page hosts_access(5). Note that this man page may not be present on your system, so a brief description will be given here also.
Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts deny option.
You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help:
Example 1: allow all IPs in 150.203.*.*; except one
hosts allow = 150.203. EXCEPT 188.8.131.52
Example 2: allow hosts that match the given network/netmask
hosts allow = 184.108.40.206/255.255.255.0
Example 3: allow a couple of hosts
hosts allow = lapland, arvidsjaur
Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host
hosts allow = @foonet
hosts deny = pirate
Note that access still requires suitable user-level passwords.
See testparm(1) for a way of testing your host access to see if it does what you expect.
Default: none (i.e., all hosts permitted access)
Example: allow hosts = 150.203.5. myhost.mynet.edu.au