From owner-freebsd-security Fri Feb 9 13:36:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E1A2437B491 for ; Fri, 9 Feb 2001 13:36:17 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f19LaFG19754; Fri, 9 Feb 2001 13:36:15 -0800 (PST) Date: Fri, 9 Feb 2001 13:36:15 -0800 From: Alfred Perlstein To: Borja Marcos Cc: freebsd-security@FreeBSD.ORG Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010209133615.P26076@fw.wintelcom.net> References: <3A83C933.8F89DC69@sarenet.es> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A83C933.8F89DC69@sarenet.es>; from borjamar@sarenet.es on Fri, Feb 09, 2001 at 11:40:51AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Borja Marcos [010209 02:41] wrote: > Gerald Pfeifer wrote: > > > > On Tue, 30 Jan 2001, Alfred Perlstein wrote: > > >> Or are we just missing something? > > > Missing the fact that nfsd is an in-kernel process and therefore > > > pretty hard to link against libwrap. > > > > Hard, or impossible? ;-) > > Well, nfsd must serve requests at high speed. Having it > call TCP Wrapper can be a big overhead, depending on how you have > configured /etc/hosts.allow and /etc/hosts.deny > > I was thinking about a different (and general) solution, but I > have had no time to implement it. Perhaps I will try to find some time. > > The trick is to use the portmapper with TCP Wrapper with a slight > twist. You keep a set of firewall (ipfw or ipfilter) rules in a file, > and whenever portmap receives the RPC service registration from the > daemon, it "runs" the ipfw or ipfilter configuration > script passing it the port number where the service has registered. > > This provides good protection for *any* RPC service, > you don't need to tinker with RPC daemons -only the portmapper- > and the overhead is minimal: only a call to the TCP Wrapper library > whenever a service registers itself to the portmapper. This is a really flawed idea. All portmap does is provide a name/version/protocol mapping of a service to a tcp/udp port. One can trivially do a portscan of a box running RPC services and figure out which are open. You don't need portmap to brute force finding out where a remote vulnerable service is located. In fact because afaik NFS always uses a well known port, you really don't need portmap to map it, you just need to use the port, portmapper for NFS is just a formality. Ok, with that out of the window, we _could_ consider mucking userland mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. This is also a bad idea, one can just brute force the NFS cookie/filehandle required to gain access, then contact the NFS port. The solution is to use a firewall. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message