From owner-freebsd-questions@FreeBSD.ORG Wed Jan 26 05:09:59 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C95C16A4CE for ; Wed, 26 Jan 2005 05:09:59 +0000 (GMT) Received: from szamoca.krvarr.bc.ca (s142-179-111-232.bc.hsia.telus.net [142.179.111.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93FA443D39 for ; Wed, 26 Jan 2005 05:09:58 +0000 (GMT) (envelope-from sandy@krvarr.bc.ca) Received: from szamoca.krvarr.bc.ca (localhost [127.0.0.1]) by szamoca.krvarr.bc.ca (8.13.1/8.12.11) with ESMTP id j0Q59lF6014637; Tue, 25 Jan 2005 21:09:47 -0800 (PST) (envelope-from sandy@szamoca.krvarr.bc.ca) Received: (from sandy@localhost) by szamoca.krvarr.bc.ca (8.13.1/8.12.11/Submit) id j0Q59jT7014634; Tue, 25 Jan 2005 21:09:45 -0800 (PST) (envelope-from sandy) From: Sandy Rutherford MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16887.9753.14706.630611@szamoca.krvarr.bc.ca> Date: Tue, 25 Jan 2005 21:09:45 -0800 To: cpghost In-Reply-To: <41F75C88.209@cordula.ws> References: <41F640BA.2040707@cordula.ws> <16886.56708.519994.924956@szamoca.krvarr.bc.ca> <41F75C88.209@cordula.ws> X-Mailer: VM 7.07 under Emacs 21.3.1 cc: freebsd-questions@freebsd.org Subject: Re: Restricting NFS daemons X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jan 2005 05:09:59 -0000 >>>>> On Wed, 26 Jan 2005 10:02:00 +0100, >>>>> cpghost said: > But the question is how to get rpcbind to use tcp-wrappers > in the first place! > Because even with this in hosts.allow, sockstat -46l still > shows: > root rpcbind 10188 7 udp4 127.0.0.1:111 *:* > root rpcbind 10188 8 udp4 192.168.1.1:111 *:* > root rpcbind 10188 9 udp4 *: *:* > root rpcbind 10188 10 tcp4 *: *:* > So it's still binding to INADDR_ANY :-( > Am I missing something obvious, or is rpcbind not "tcp wrapped" > by default? Should be. Double check to make sure that /usr/sbin/portmap is linked to libwrap. On 4.10, I have: % objdump -x portmap | head -n 25 /usr/libexec/elf/objdump: portmap: no symbols portmap: file format elf32-i386 portmap architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x08048de8 Program Header: PHDR off 0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2 filesz 0x000000c0 memsz 0x000000c0 flags r-x INTERP off 0x000000f4 vaddr 0x080480f4 paddr 0x080480f4 align 2**0 filesz 0x00000019 memsz 0x00000019 flags r-- LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12 filesz 0x00002700 memsz 0x00002700 flags r-x LOAD off 0x00002700 vaddr 0x0804b700 paddr 0x0804b700 align 2**12 filesz 0x000001ec memsz 0x00000218 flags rw- DYNAMIC off 0x0000275c vaddr 0x0804b75c paddr 0x0804b75c align 2**2 filesz 0x000000b8 memsz 0x000000b8 flags rw- NOTE off 0x00000110 vaddr 0x08048110 paddr 0x08048110 align 2**2 filesz 0x00000018 memsz 0x00000018 flags r-- Dynamic Section: NEEDED libwrap.so.3 NEEDED libc.so.4 INIT 0x8048adc I am not surprised that rpcbind is still bound to all of your interfaces. AFAIK, tcp-wrappers doesn't control which interface is being listened on, but rather it controls from which IP numbers connections will be accepted. This is what I meant, when I said that tcp-wrappers doesn't do exactly what you want. However, if you use tcp-wrappers to accept only connections from 192.168.1.0/255.255.255.0 and configure a firewall on this host to block all connections to the interface in question from this address range, then you will end up with something approximating what you want. ...Sandy