Date: Fri, 26 Jan 2001 11:51:53 -0600 (CST) From: Dan Debertin <airboss@bitstream.net> To: <cjclark@alum.mit.edu> Cc: David La Croix <dlacroix@cowpie.acm.vt.edu>, "Scot W. Hetzel" <hetzels@westbend.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: buffer overflows in rpc.statd? Message-ID: <Pine.LNX.4.30.0101261148270.18352-100000@dmitri.bitstream.net> In-Reply-To: <20010126095147.A66394@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 26 Jan 2001, Crist J. Clark wrote: > > I wanted to point out that you cannot really 'block' RPC services > effectively with ipfw(8) rules. RPC services do not live on certain > well-known ports[0]. The only way you can effectively block RPC > services is with default deny rules. I've gotten around this in the past by putting 'rpcinfo -p | awk' commands in rc.firewall, polling the portmapper on protected hosts and then building firewall rules dynamically for them. It doesn't completely work, because you have to flush & reload your rules when an NFS server bounces, but for cases where that's "good enough", it does the job. ~Dan D. -- ++ Unix is the worst operating system, except for all others. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 x108 ++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0101261148270.18352-100000>