From owner-freebsd-questions@FreeBSD.ORG Wed Jan 26 11:05:45 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1429D16A4CE for ; Wed, 26 Jan 2005 11:05:45 +0000 (GMT) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B35543D2D for ; Wed, 26 Jan 2005 11:05:44 +0000 (GMT) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (net4801-2 [192.168.254.1]) by fw.farid-hajji.net (Postfix) with ESMTP id D438F4ADEB; Wed, 26 Jan 2005 12:00:57 +0100 (CET) Date: Wed, 26 Jan 2005 12:00:57 +0100 From: cpghost To: Sandy Rutherford Message-ID: <20050126110057.GA22040@fw.farid-hajji.net> References: <41F640BA.2040707@cordula.ws> <16886.56708.519994.924956@szamoca.krvarr.bc.ca> <41F75C88.209@cordula.ws> <16887.9753.14706.630611@szamoca.krvarr.bc.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <16887.9753.14706.630611@szamoca.krvarr.bc.ca> User-Agent: Mutt/1.5.6i cc: freebsd-questions@freebsd.org Subject: Re: Restricting NFS daemons X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jan 2005 11:05:45 -0000 On Tue, Jan 25, 2005 at 09:09:45PM -0800, Sandy Rutherford wrote: > > But the question is how to get rpcbind to use tcp-wrappers > > in the first place! > > > Because even with this in hosts.allow, sockstat -46l still > > shows: > > > root rpcbind 10188 7 udp4 127.0.0.1:111 *:* > > root rpcbind 10188 8 udp4 192.168.1.1:111 *:* > > root rpcbind 10188 9 udp4 *: *:* > > root rpcbind 10188 10 tcp4 *: *:* > > > So it's still binding to INADDR_ANY :-( > > > Am I missing something obvious, or is rpcbind not "tcp wrapped" > > by default? > > Should be. Double check to make sure that /usr/sbin/portmap is linked > to libwrap. Good idea! Yes indeed, rpcbind is linked to libwrap: /usr/sbin/rpcbind: libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28080000) libutil.so.4 => /lib/libutil.so.4 (0x28088000) libc.so.5 => /lib/libc.so.5 (0x28094000) > I am not surprised that rpcbind is still bound to all of your > interfaces. AFAIK, tcp-wrappers doesn't control which interface is > being listened on, but rather it controls from which IP numbers > connections will be accepted. This is what I meant, when I said that > tcp-wrappers doesn't do exactly what you want. However, if you use > tcp-wrappers to accept only connections from 192.168.1.0/255.255.255.0 > and configure a firewall on this host to block all connections to the > interface in question from this address range, then you will end up > with something approximating what you want. Yes, that's approximatly what I had in mind. Thank you for your help! :) > ...Sandy Cheers, -cpghost. -- Cordula's Web. http://www.cordula.ws/