From owner-freebsd-security Sat Feb 10 18:28:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 04E8337B401 for ; Sat, 10 Feb 2001 18:28:10 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 10 Feb 2001 18:26:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1B2S2m63504; Sat, 10 Feb 2001 18:28:02 -0800 (PST) (envelope-from cjc) Date: Sat, 10 Feb 2001 18:28:01 -0800 From: "Crist J. Clark" To: Alfred Perlstein Cc: Borja Marcos , freebsd-security@FreeBSD.ORG Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010210182801.B62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net> <3A8474A6.D5D0DCE9@sarenet.es> <20010209145602.T26076@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010209145602.T26076@fw.wintelcom.net>; from bright@wintelcom.net on Fri, Feb 09, 2001 at 02:56:02PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 09, 2001 at 02:56:02PM -0800, Alfred Perlstein wrote: > * Borja Marcos [010209 14:52] wrote: > > Alfred Perlstein wrote: > > > > > This is a really flawed idea. > > > > Humm. Yours is a flawed reading of my message? ;-) > > You're right. :) > > > > > > > In fact because afaik NFS always uses a well known port, you really > > > don't need portmap to map it, you just need to use the port, > > > portmapper for NFS is just a formality. > > > > > > Ok, with that out of the window, we _could_ consider mucking userland > > > mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. > > > This is also a bad idea, one can just brute force the NFS > > > cookie/filehandle required to gain access, then contact the NFS > > > port. > > > > > > The solution is to use a firewall. > > > > Yes, and what about having portmap set the right firewall > > rules to protect RPC services? Whenever a service registers itself > > to portmap, it puts firewall rules to block access to the port. > > That is what I am proposing! > > > > Yes, NFS uses a fixed port, but not other RPC services. > > Well, using a firewall would work fine, but relying on obfuscation > by just hiding portmap won't. That's where I misread what you said, > I thought you only meant to firewall portmap, but if you can add hooks > to portmap to run ipfw rules... that would interesting. :) The 'right' way to do it would be to look down to the session layer at the RPC header and examine the RPC program number for each packet. A rule would look something like, # ipfw add pass ip from $OK_HOST to $RPC_SERVER rpc $RPC_SERVICE Where $RPC_SERVICE is a number or a name from /etc/rpc. It actually would not be terribly hard to do... not that I am volunteering (or discounting the idea of doing it either). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message