From owner-freebsd-net@FreeBSD.ORG  Wed Sep 27 06:03:38 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6970216A403
	for <freebsd-net@freebsd.org>; Wed, 27 Sep 2006 06:03:38 +0000 (UTC)
	(envelope-from danny@cs.huji.ac.il)
Received: from cs1.cs.huji.ac.il (cs1.cs.huji.ac.il [132.65.16.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A72B743D4C
	for <freebsd-net@freebsd.org>; Wed, 27 Sep 2006 06:03:37 +0000 (GMT)
	(envelope-from danny@cs.huji.ac.il)
Received: from pampa.cs.huji.ac.il ([132.65.80.32])
	by cs1.cs.huji.ac.il with esmtp
	id 1GSSW7-000L4K-Em; Wed, 27 Sep 2006 09:03:35 +0300
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2
To: Brooks Davis <brooks@one-eyed-alien.net>
In-reply-to: <20060926212751.GA53219@lor.one-eyed-alien.net> 
References: <E1GS7Rr-0006b7-EH@cs1.cs.huji.ac.il>
	<XFMail.20060926135344.jdp@polstra.com>
	<20060926212751.GA53219@lor.one-eyed-alien.net>
Comments: In-reply-to Brooks Davis <brooks@one-eyed-alien.net>
	message dated "Tue, 26 Sep 2006 16:27:52 -0500."
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 27 Sep 2006 09:03:35 +0300
From: Danny Braniss <danny@cs.huji.ac.il>
Message-ID: <E1GSSW7-000L4K-Em@cs1.cs.huji.ac.il>
Cc: freebsd-net@freebsd.org, John Polstra <jdp@polstra.com>
Subject: Re: IPMI & portrange 
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Sep 2006 06:03:38 -0000

> On Tue, Sep 26, 2006 at 01:53:44PM -0700, John Polstra wrote:
> > On 26-Sep-2006 Danny Braniss wrote:
> > >       This keeps bitting me every other upgrade, IPMI on some
> > > hosts, if enabled, will steal packets to port 623 or 664, so
> > > the current solution is either set net.inet.ip.portrange.lowlast
> > > to 664, (for some reason this does not seem to work if done via
> > > loader.conf) or change it in sys/netinet/in.h.
> > >=20
> > >       So, is there some way to blacklist some ports, instead
> > > of increasing portrange.lowlast?
> >=20
> > You could use your favorite scripting language to create a socket,
> > bind it to the port, listen on it, and just sit there doing nothing
> > -- for each port you want to blacklist.  That would keep the ports
> > from being used by anything else.
> 
> Extending the internal service functionality of inetd might be a good
> approach for this sort of thing.  The current method of service matching
> based on port and protocol could be augmented with the ability to
> connect arbitrary "internal" services to arbitrary ports, perhaps via
> arguments to the "internal" command.  Then you could hook discard to
> ports you don't want to use.
> 
> -- Brooks

Some ip traffic is generated earlier, tfpt/dhcp/dns/nfs, which
ruins my initial thaught of putting the list in loader.rc or something -
in a diskless environment there is a chicken and egg problem.

danny