From owner-freebsd-stable Sun Oct 22 7:25:26 2000 Delivered-To: freebsd-stable@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 389E937B4C5 for ; Sun, 22 Oct 2000 07:25:21 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA04709; Sun, 22 Oct 2000 07:24:40 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda04707; Sun Oct 22 07:24:22 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.0/8.9.1) id e9MEOI518564; Sun, 22 Oct 2000 07:24:18 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdG18562; Sun Oct 22 07:23:33 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id e9MENTG10134; Sun, 22 Oct 2000 07:23:29 -0700 (PDT) Message-Id: <200010221423.e9MENTG10134@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdX10130; Sun Oct 22 07:23:10 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: vladimir@math.uic.edu Cc: freebsd-stable@FreeBSD.ORG Subject: Re: ipfw advice needed In-reply-to: Your message of "21 Oct 2000 18:22:40 -0000." <20001021182240.21355.qmail@math.uic.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 22 Oct 2000 07:23:09 -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <20001021182240.21355.qmail@math.uic.edu>, vladimir@math.uic.edu wri tes: > Dear -STABLE users, > > I am trying to setup ipfw rules to protect some > of our crucial machines, including a file server. > The system is 4.1.1-STABLE. So far I've been > using access lists on the router, but would like > to get some extra security on the machine itself. > One thing got me confused: there is a couple of > daemons that are listening on the ports not > listed in /etc/services. For example, (lsof output): > > ypserv 126 root 5u IPv4 0xcefe2d80 0t0 TCP *:1023 (LISTEN) > ypbind 128 root 5u IPv4 0xcefe2b60 0t0 TCP *:1022 (LISTEN) > mountd 135 root 4u IPv4 0xcefe2940 0t0 TCP *:1021 (LISTEN) > nfsd 137 root 3u IPv4 0xcefe2720 0t0 TCP *:nfsd (LISTEN) > rpc.lockd 161 root 4u IPv4 0xce898900 0t0 UDP *:lockd > rpc.lockd 161 root 5u IPv4 0xcefe2500 0t0 TCP *:lockd (LISTEN) > rpc.lockd 161 root 9u IPv4 0xce89a6c0 0t0 UDP *:855 > rpc.statd 163 root 3u IPv4 0xce898840 0t0 UDP *:990 > rpc.statd 163 root 4u IPv4 0xcefe22e0 0t0 TCP *:1020 (LISTEN) > > > ypbind listens on ports 1022, mountd on tcp port 1021, ypserv on tcp > port 1023, statd on port 1020. What do I do with those? > Are these ports officially assigned or are they arbitrarily selected > by these daemons when they start and register with the portmapper? > Is there a range of TCP ports that I should keep opened for > incoming connections for these services to operate properly? > Any hints would be appreciated. These are RPC services. You can use rpcinfo -p to get another view of this. The port numbers are either arbitrarily defined by standard, e.g nfsd, and lockd, arbitrarily defined by an admin, e.g. Remedy, or randomly selected within a range, e.g. NIS, NIS+, mountd, rpc.statd, automountd, and amd. Whether you want to keep certain ports open or closed depends on the application(s) you run and your security requirements. Generally, RPC services should be blocked. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message