Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 31 Jul 1998 10:21:28 +0100
From:      Scott Mitchell <scott@dcs.qmw.ac.uk>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: PPP.3000.exposure
Message-ID:  <19980731102128.A4466@dcs.qmw.ac.uk>
In-Reply-To: <Pine.BSF.3.96.980731112116.27739F-100000@enya.hilink.com.au>; from Daniel O'Callaghan on Fri, Jul 31, 1998 at 11:29:22AM %2B1000
References:  <19980731000439.4580B7036A@spike.porcupine.org> <Pine.BSF.3.96.980731112116.27739F-100000@enya.hilink.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 31, 1998 at 11:29:22AM +1000, Daniel O'Callaghan wrote:
> 
> 
> On Thu, 30 Jul 1998, Wietse Venema wrote:
> 
> > efb@cotdazr.org:
> > > 
> > > Had a random sweep and the question came up .. what and why does my
> > > port 3000 show to the world outside for .. can I block it .. should I
> > > sweat it .. the F.Bsd_205 box is the router as well as main server ..
> > > 
> > > Can I Wrap the 3000 at least so as not to kill iijppp and reduce my
> > > exposure and how ???
> > 
> > This is one feature of the ppp daemon that I didn't like at all.
> > To block, you'd need a kernel-based packet filter; or hack the
> > source and rip out the 
> 
> Brian will correct me if I am wrong, but I believe that for quite a while
> now ppp has not bound to 3000 if there is no password set for the machine. 
> Not perfect protection, of course, but something.  
> 
> It is not too hard to enable ipfw, either in-kernel or as lkm.  Just flick
> the switch in /etc/rc.conf (firewall="YES") and add the appropriate ipfw
> rules.
> 
> Danny

If you can live with logging in to the machine in order to tweak PPP, you
can have it bind to a UNIX domain socket instead.  With appropriate
permissions on the socket you can restrict access (to people in your
'dialer' group perhaps) without having to set a PPP password.  Works for
me.

	Scott.

-- 
===========================================================================
Scott Mitchell          | PGP Key ID |"If I can't have my coffee, I'm just 
<scott@dcs.qmw.ac.uk>   | 0x54B171B9 | like a dried up piece of roast goat"
QMW College, London, UK | 0xAA775B8B |     -- J. S. Bach.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980731102128.A4466>