Date: Fri, 31 Jul 1998 10:21:28 +0100 From: Scott Mitchell <scott@dcs.qmw.ac.uk> To: freebsd-security@FreeBSD.ORG Subject: Re: PPP.3000.exposure Message-ID: <19980731102128.A4466@dcs.qmw.ac.uk> In-Reply-To: <Pine.BSF.3.96.980731112116.27739F-100000@enya.hilink.com.au>; from Daniel O'Callaghan on Fri, Jul 31, 1998 at 11:29:22AM %2B1000 References: <19980731000439.4580B7036A@spike.porcupine.org> <Pine.BSF.3.96.980731112116.27739F-100000@enya.hilink.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 31, 1998 at 11:29:22AM +1000, Daniel O'Callaghan wrote: > > > On Thu, 30 Jul 1998, Wietse Venema wrote: > > > efb@cotdazr.org: > > > > > > Had a random sweep and the question came up .. what and why does my > > > port 3000 show to the world outside for .. can I block it .. should I > > > sweat it .. the F.Bsd_205 box is the router as well as main server .. > > > > > > Can I Wrap the 3000 at least so as not to kill iijppp and reduce my > > > exposure and how ??? > > > > This is one feature of the ppp daemon that I didn't like at all. > > To block, you'd need a kernel-based packet filter; or hack the > > source and rip out the > > Brian will correct me if I am wrong, but I believe that for quite a while > now ppp has not bound to 3000 if there is no password set for the machine. > Not perfect protection, of course, but something. > > It is not too hard to enable ipfw, either in-kernel or as lkm. Just flick > the switch in /etc/rc.conf (firewall="YES") and add the appropriate ipfw > rules. > > Danny If you can live with logging in to the machine in order to tweak PPP, you can have it bind to a UNIX domain socket instead. With appropriate permissions on the socket you can restrict access (to people in your 'dialer' group perhaps) without having to set a PPP password. Works for me. Scott. -- =========================================================================== Scott Mitchell | PGP Key ID |"If I can't have my coffee, I'm just <scott@dcs.qmw.ac.uk> | 0x54B171B9 | like a dried up piece of roast goat" QMW College, London, UK | 0xAA775B8B | -- J. S. Bach. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980731102128.A4466>