Date: Fri, 09 Feb 2001 23:52:22 +0100 From: Borja Marcos <borjamar@sarenet.es> To: freebsd-security@freebsd.org Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <3A8474A6.D5D0DCE9@sarenet.es> References: <Pine.BSF.4.33.0102091125000.59792-100000@deneb.dbai.tuwien.ac.at> <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alfred Perlstein wrote: > This is a really flawed idea. Humm. Yours is a flawed reading of my message? ;-) > All portmap does is provide a name/version/protocol mapping of a > service to a tcp/udp port. One can trivially do a portscan of > a box running RPC services and figure out which are open. You > don't need portmap to brute force finding out where a remote > vulnerable service is located. But if portmap can set up the right rules for ipfw, the brute force portscan will have no success. (read below) > > In fact because afaik NFS always uses a well known port, you really > don't need portmap to map it, you just need to use the port, > portmapper for NFS is just a formality. > > Ok, with that out of the window, we _could_ consider mucking userland > mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. > This is also a bad idea, one can just brute force the NFS > cookie/filehandle required to gain access, then contact the NFS > port. > > The solution is to use a firewall. Yes, and what about having portmap set the right firewall rules to protect RPC services? Whenever a service registers itself to portmap, it puts firewall rules to block access to the port. That is what I am proposing! Yes, NFS uses a fixed port, but not other RPC services. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A8474A6.D5D0DCE9>