From owner-freebsd-security  Fri Feb  9  2:41:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5])
	by hub.freebsd.org (Postfix) with ESMTP id EB22237B503
	for <freebsd-security@freebsd.org>; Fri,  9 Feb 2001 02:40:54 -0800 (PST)
Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77])
	by orhi.sarenet.es (Postfix) with ESMTP id C9D6F4A54
	for <freebsd-security@freebsd.org>; Fri,  9 Feb 2001 11:40:48 +0100 (MET)
Received: from sarenet.es (localhost [127.0.0.1])
	by borja.sarenet.es (8.11.1/8.11.1) with ESMTP id f19Aepp10673
	for <freebsd-security@freebsd.org>; Fri, 9 Feb 2001 11:40:52 +0100 (CET)
	(envelope-from borjamar@sarenet.es)
Message-ID: <3A83C933.8F89DC69@sarenet.es>
Date: Fri, 09 Feb 2001 11:40:51 +0100
From: Borja Marcos <borjamar@sarenet.es>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: nfsd support for tcp_wrapper -> General RPC solution
References: <Pine.BSF.4.33.0102091125000.59792-100000@deneb.dbai.tuwien.ac.at>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Gerald Pfeifer wrote:
> 
> On Tue, 30 Jan 2001, Alfred Perlstein wrote:
> >> Or are we just missing something?
> > Missing the fact that nfsd is an in-kernel process and therefore
> > pretty hard to link against libwrap.
> 
> Hard, or impossible? ;-)

	Well, nfsd must serve requests at high speed. Having it
call TCP Wrapper can be a big overhead, depending on how you have
configured /etc/hosts.allow and /etc/hosts.deny

	I was thinking about a different (and general) solution, but I
have had no time to implement it. Perhaps I will try to find some time.

	The trick is to use the portmapper with TCP Wrapper with a slight
twist. You keep a set of firewall (ipfw or ipfilter) rules in a file,
and whenever portmap receives the RPC service registration from the
daemon, it "runs" the ipfw or ipfilter configuration
script passing it the port number where the service has registered.

	This provides good protection for *any* RPC service,
you don't need to tinker with RPC daemons -only the portmapper-
and the overhead is minimal: only a call to the TCP Wrapper library
whenever a service registers itself to the portmapper.


	Borja.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message