From owner-freebsd-security  Fri Feb  9 14:52:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5])
	by hub.freebsd.org (Postfix) with ESMTP id 3C40437B67D
	for <freebsd-security@freebsd.org>; Fri,  9 Feb 2001 14:52:26 -0800 (PST)
Received: from sarenet.es (sollube.sarenet.es [192.148.167.16])
	by orhi.sarenet.es (Postfix) with SMTP id 62FA14A1F
	for <freebsd-security@freebsd.org>; Fri,  9 Feb 2001 23:52:19 +0100 (MET)
Received: from sarenet.es ([192.148.167.77]) by sarenet.es ; Fri, 09 Feb 2001 23:52:15 +0100
Message-ID: <3A8474A6.D5D0DCE9@sarenet.es>
Date: Fri, 09 Feb 2001 23:52:22 +0100
From: Borja Marcos <borjamar@sarenet.es>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: nfsd support for tcp_wrapper -> General RPC solution
References: <Pine.BSF.4.33.0102091125000.59792-100000@deneb.dbai.tuwien.ac.at> <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Alfred Perlstein wrote:

> This is a really flawed idea.

	Humm. Yours is a flawed reading of my message? ;-)

> All portmap does is provide a name/version/protocol mapping of a
> service to a tcp/udp port.  One can trivially do a portscan of
> a box running RPC services and figure out which are open.  You
> don't need portmap to brute force finding out where a remote
> vulnerable service is located.

	But if portmap can set up the right rules for ipfw,
the brute force portscan will have no success. (read below)

> 
> In fact because afaik NFS always uses a well known port, you really
> don't need portmap to map it, you just need to use the port,
> portmapper for NFS is just a formality.
> 
> Ok, with that out of the window, we _could_ consider mucking userland
> mountd to use tcpwrappers to graft an ACL to what's in /etc/exports.
> This is also a bad idea, one can just brute force the NFS
> cookie/filehandle required to gain access, then contact the NFS
> port.
> 
> The solution is to use a firewall.

	Yes, and what about having portmap set the right firewall
rules to protect RPC services? Whenever a service registers itself
to portmap, it puts firewall rules to block access to the port.
That is what I am proposing!

	Yes, NFS uses a fixed port, but not other RPC services.


	Borja.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message