From owner-freebsd-security  Sat Feb 10 18:17:30 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id A5D9437B401
	for <freebsd-security@freebsd.org>; Sat, 10 Feb 2001 18:17:12 -0800 (PST)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sat, 10 Feb 2001 18:15:17 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1B2H5563445;
	Sat, 10 Feb 2001 18:17:05 -0800 (PST)
	(envelope-from cjc)
Date: Sat, 10 Feb 2001 18:17:04 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Dan Debertin <airboss@bitstream.net>
Cc: Borja Marcos <borjamar@sarenet.es>,
	"freebsd-security@freebsd.org" <freebsd-security@FreeBSD.ORG>
Subject: Re: nfsd support for tcp_wrapper -> General RPC solution
Message-ID: <20010210181703.A62368@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <3A8474A6.D5D0DCE9@sarenet.es> <Pine.LNX.4.30.0102091657280.7608-100000@dmitri.bitstream.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.30.0102091657280.7608-100000@dmitri.bitstream.net>; from airboss@bitstream.net on Fri, Feb 09, 2001 at 05:12:42PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Feb 09, 2001 at 05:12:42PM -0600, Dan Debertin wrote:
> On Fri, 9 Feb 2001, Borja Marcos wrote:
> >
> > 	Yes, and what about having portmap set the right firewall
> > rules to protect RPC services? Whenever a service registers itself
> > to portmap, it puts firewall rules to block access to the port.
> > That is what I am proposing!
> 
> I posted on this subject last month. You can trivially update your
> firewall rules with the following set of pipes:
> 
> (assuming your NFS server is at 10.0.0.1, and the service you're looking
> for is mountd)
> 
> UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq`
> 
> Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD:
> 
> # ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD

This is, of course, backwards, you should have,

  # ipfw add pass udp from $INTERNAL_NET to 10.0.0.1 $UDPMOUNTD

And deny by default. :)
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message