From owner-freebsd-security Fri Feb 9 15:20:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from barabas.bitstream.net (barabas.bitstream.net [216.243.128.159]) by hub.freebsd.org (Postfix) with SMTP id 0170C37B6AE for ; Fri, 9 Feb 2001 15:20:11 -0800 (PST) Received: (qmail 79698 invoked from network); 9 Feb 2001 23:20:10 -0000 Received: from unknown (HELO dmitri.bitstream.net) (216.243.132.33) by barabas with SMTP; 9 Feb 2001 23:20:10 -0000 Date: Fri, 9 Feb 2001 17:12:42 -0600 (CST) From: Dan Debertin To: Borja Marcos Cc: "freebsd-security@freebsd.org" Subject: Re: nfsd support for tcp_wrapper -> General RPC solution In-Reply-To: <3A8474A6.D5D0DCE9@sarenet.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Feb 2001, Borja Marcos wrote: > > Yes, and what about having portmap set the right firewall > rules to protect RPC services? Whenever a service registers itself > to portmap, it puts firewall rules to block access to the port. > That is what I am proposing! I posted on this subject last month. You can trivially update your firewall rules with the following set of pipes: (assuming your NFS server is at 10.0.0.1, and the service you're looking for is mountd) UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq` Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD: # ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD Dan Debertin -- ++ Unix is the worst operating system, except for all others. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 x108 ++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message