From owner-freebsd-stable Sat Oct 21 12:48:55 2000 Delivered-To: freebsd-stable@freebsd.org Received: from math.uic.edu (galois.math.uic.edu [131.193.178.114]) by hub.freebsd.org (Postfix) with SMTP id 6134737B479 for ; Sat, 21 Oct 2000 12:48:53 -0700 (PDT) Received: (qmail 21625 invoked by uid 31415); 21 Oct 2000 19:49:16 -0000 Date: 21 Oct 2000 19:49:16 -0000 Message-ID: <20001021194916.21624.qmail@math.uic.edu> From: vladimir@math.uic.edu To: bartequi@inwind.it, freebsd-stable@freebsd.org Subject: Re: ipfw advice needed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >From bartequi@inwind.it Sat Oct 21 18:49:56 2000 >Delivered-To: vladimir@math.uic.edu >From: Salvo Bartolotta >Date: Sat, 21 Oct 2000 19:48:43 GMT >Subject: Re: ipfw advice needed >To: vladimir@math.uic.edu >X-Priority: 3 (Normal) >MIME-Version: 1.0 >Content-Transfer-Encoding: quoted-printable > >>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< > >On 10/21/00, 7:22:40 PM, vladimir@math.uic.edu wrote regarding ipfw=20 >advice needed: > > >> Dear -STABLE users, > >> I am trying to setup ipfw rules to protect some >> of our crucial machines, including a file server. >> The system is 4.1.1-STABLE. So far I've been >> using access lists on the router, but would like >> to get some extra security on the machine itself. >> One thing got me confused: there is a couple of >> daemons that are listening on the ports not >> listed in /etc/services. For example, (lsof output): > >> ypserv 126 root 5u IPv4 0xcefe2d80 0t0 TCP *:1023=20 >(LISTEN) >> ypbind 128 root 5u IPv4 0xcefe2b60 0t0 TCP *:1022=20 >(LISTEN) >> mountd 135 root 4u IPv4 0xcefe2940 0t0 TCP *:1021=20 >(LISTEN) >> nfsd 137 root 3u IPv4 0xcefe2720 0t0 TCP *:nfsd=20 >(LISTEN) >> rpc.lockd 161 root 4u IPv4 0xce898900 0t0 UDP *:lockd >> rpc.lockd 161 root 5u IPv4 0xcefe2500 0t0 TCP *:lockd=20 >(LISTEN) >> rpc.lockd 161 root 9u IPv4 0xce89a6c0 0t0 UDP *:855 >> rpc.statd 163 root 3u IPv4 0xce898840 0t0 UDP *:990 >> rpc.statd 163 root 4u IPv4 0xcefe22e0 0t0 TCP *:1020=20 >(LISTEN) > > >> ypbind listens on ports 1022, mountd on tcp port 1021, ypserv on tcp >> port 1023, statd on port 1020. What do I do with those? >> Are these ports officially assigned or are they arbitrarily selected >> by these daemons when they start and register with the portmapper? >> Is there a range of TCP ports that I should keep opened for >> incoming connections for these services to operate properly? >> Any hints would be appreciated. >> Thanks you! >> Vladimir > > > >The short answer is portmap(8), ypserv(8), ypbind(8); also, some=20 >material is found in the handbook (in particular, cf Security; cf=20 >Advanced Networking). > >Golden service rule: if you don't need them, nuke them. In order to=20 >nuke them: cf ps(1), kill(1), rc.conf(5). > >N.B. I am not a security expert; rather, I am RTFMing the subject :-) >Somebody else will give you tips as to the most appropriate policy. > >HTH a little, >Salvo Hi Salvo, thank you very much for the reply, but I think you misunderstood me a little. We do need these services, because the machine in question is an NFS server and a yp slave (sorry I was not specific about that). I understand that ypbind has decided to listen on port 1022 and registered that with the portmapper, but I guess what I wanted to know -- is there any way to control this choice of a port number? I could not find any relevant documentation on that (I apologize if the answer is somewhat obvious). Thanks, Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message