Date: Wed, 27 Sep 2006 09:03:35 +0300 From: Danny Braniss <danny@cs.huji.ac.il> To: Brooks Davis <brooks@one-eyed-alien.net> Cc: freebsd-net@freebsd.org, John Polstra <jdp@polstra.com> Subject: Re: IPMI & portrange Message-ID: <E1GSSW7-000L4K-Em@cs1.cs.huji.ac.il> In-Reply-To: <20060926212751.GA53219@lor.one-eyed-alien.net> References: <E1GS7Rr-0006b7-EH@cs1.cs.huji.ac.il> <XFMail.20060926135344.jdp@polstra.com> <20060926212751.GA53219@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Sep 26, 2006 at 01:53:44PM -0700, John Polstra wrote: > > On 26-Sep-2006 Danny Braniss wrote: > > > This keeps bitting me every other upgrade, IPMI on some > > > hosts, if enabled, will steal packets to port 623 or 664, so > > > the current solution is either set net.inet.ip.portrange.lowlast > > > to 664, (for some reason this does not seem to work if done via > > > loader.conf) or change it in sys/netinet/in.h. > > >=20 > > > So, is there some way to blacklist some ports, instead > > > of increasing portrange.lowlast? > >=20 > > You could use your favorite scripting language to create a socket, > > bind it to the port, listen on it, and just sit there doing nothing > > -- for each port you want to blacklist. That would keep the ports > > from being used by anything else. > > Extending the internal service functionality of inetd might be a good > approach for this sort of thing. The current method of service matching > based on port and protocol could be augmented with the ability to > connect arbitrary "internal" services to arbitrary ports, perhaps via > arguments to the "internal" command. Then you could hook discard to > ports you don't want to use. > > -- Brooks Some ip traffic is generated earlier, tfpt/dhcp/dns/nfs, which ruins my initial thaught of putting the list in loader.rc or something - in a diskless environment there is a chicken and egg problem. danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1GSSW7-000L4K-Em>