Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jan 2005 12:00:57 +0100
From:      cpghost <cpghost@cordula.ws>
To:        Sandy Rutherford <sandy@krvarr.bc.ca>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Restricting NFS daemons
Message-ID:  <20050126110057.GA22040@fw.farid-hajji.net>
In-Reply-To: <16887.9753.14706.630611@szamoca.krvarr.bc.ca>
References:  <41F640BA.2040707@cordula.ws> <16886.56708.519994.924956@szamoca.krvarr.bc.ca> <41F75C88.209@cordula.ws> <16887.9753.14706.630611@szamoca.krvarr.bc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Jan 25, 2005 at 09:09:45PM -0800, Sandy Rutherford wrote:
>  > But the question is how to get rpcbind to use tcp-wrappers
>  > in the first place!
> 
>  > Because even with this in hosts.allow, sockstat -46l still
>  > shows:
> 
>  > root     rpcbind    10188 7  udp4   127.0.0.1:111         *:*
>  > root     rpcbind    10188 8  udp4   192.168.1.1:111       *:*
>  > root     rpcbind    10188 9  udp4   *:<some_random_port>  *:*
>  > root     rpcbind    10188 10 tcp4   *:<some_random_port>  *:*
> 
>  > So it's still binding to INADDR_ANY :-(
> 
>  > Am I missing something obvious, or is rpcbind not "tcp wrapped"
>  > by default?
> 
> Should be.  Double check to make sure that /usr/sbin/portmap is linked
> to libwrap.

Good idea! Yes indeed, rpcbind is linked to libwrap:

/usr/sbin/rpcbind:
        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28080000)
        libutil.so.4 => /lib/libutil.so.4 (0x28088000)
        libc.so.5 => /lib/libc.so.5 (0x28094000)

> I am not surprised that rpcbind is still bound to all of your
> interfaces.  AFAIK, tcp-wrappers doesn't control which interface is
> being listened on, but rather it controls from which IP numbers
> connections will be accepted.  This is what I meant, when I said that
> tcp-wrappers doesn't do exactly what you want.  However, if you use
> tcp-wrappers to accept only connections from 192.168.1.0/255.255.255.0
> and configure a firewall on this host to block all connections to the
> interface in question from this address range, then you will end up
> with something approximating what you want.

Yes, that's approximatly what I had in mind.

Thank you for your help! :)

> ...Sandy

Cheers,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050126110057.GA22040>