Date: Fri, 09 Feb 2001 11:40:51 +0100 From: Borja Marcos <borjamar@sarenet.es> To: freebsd-security@freebsd.org Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <3A83C933.8F89DC69@sarenet.es> References: <Pine.BSF.4.33.0102091125000.59792-100000@deneb.dbai.tuwien.ac.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Gerald Pfeifer wrote: > > On Tue, 30 Jan 2001, Alfred Perlstein wrote: > >> Or are we just missing something? > > Missing the fact that nfsd is an in-kernel process and therefore > > pretty hard to link against libwrap. > > Hard, or impossible? ;-) Well, nfsd must serve requests at high speed. Having it call TCP Wrapper can be a big overhead, depending on how you have configured /etc/hosts.allow and /etc/hosts.deny I was thinking about a different (and general) solution, but I have had no time to implement it. Perhaps I will try to find some time. The trick is to use the portmapper with TCP Wrapper with a slight twist. You keep a set of firewall (ipfw or ipfilter) rules in a file, and whenever portmap receives the RPC service registration from the daemon, it "runs" the ipfw or ipfilter configuration script passing it the port number where the service has registered. This provides good protection for *any* RPC service, you don't need to tinker with RPC daemons -only the portmapper- and the overhead is minimal: only a call to the TCP Wrapper library whenever a service registers itself to the portmapper. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A83C933.8F89DC69>