From owner-freebsd-security  Fri Feb  9 14:56:31 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id 83FBE37B6AC
	for <freebsd-security@FreeBSD.ORG>; Fri,  9 Feb 2001 14:56:07 -0800 (PST)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id f19Mu2w22873;
	Fri, 9 Feb 2001 14:56:02 -0800 (PST)
Date: Fri, 9 Feb 2001 14:56:02 -0800
From: Alfred Perlstein <bright@wintelcom.net>
To: Borja Marcos <borjamar@sarenet.es>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: nfsd support for tcp_wrapper -> General RPC solution
Message-ID: <20010209145602.T26076@fw.wintelcom.net>
References: <Pine.BSF.4.33.0102091125000.59792-100000@deneb.dbai.tuwien.ac.at> <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net> <3A8474A6.D5D0DCE9@sarenet.es>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3A8474A6.D5D0DCE9@sarenet.es>; from borjamar@sarenet.es on Fri, Feb 09, 2001 at 11:52:22PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Borja Marcos <borjamar@sarenet.es> [010209 14:52] wrote:
> Alfred Perlstein wrote:
> 
> > This is a really flawed idea.
> 
> 	Humm. Yours is a flawed reading of my message? ;-)

You're right. :)

> > 
> > In fact because afaik NFS always uses a well known port, you really
> > don't need portmap to map it, you just need to use the port,
> > portmapper for NFS is just a formality.
> > 
> > Ok, with that out of the window, we _could_ consider mucking userland
> > mountd to use tcpwrappers to graft an ACL to what's in /etc/exports.
> > This is also a bad idea, one can just brute force the NFS
> > cookie/filehandle required to gain access, then contact the NFS
> > port.
> > 
> > The solution is to use a firewall.
> 
> 	Yes, and what about having portmap set the right firewall
> rules to protect RPC services? Whenever a service registers itself
> to portmap, it puts firewall rules to block access to the port.
> That is what I am proposing!
> 
> 	Yes, NFS uses a fixed port, but not other RPC services.

Well, using a firewall would work fine, but relying on obfuscation
by just hiding portmap won't.  That's where I misread what you said,
I thought you only meant to firewall portmap, but if you can add hooks
to portmap to run ipfw rules... that would interesting. :)

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message