From owner-freebsd-security Fri Jan 26 13: 6:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 015E837B401 for ; Fri, 26 Jan 2001 13:05:57 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA14438; Fri, 26 Jan 2001 13:04:28 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda14436; Fri Jan 26 13:04:14 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0QL3uj87826; Fri, 26 Jan 2001 13:03:56 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdG87820; Fri Jan 26 13:03:33 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f0QL3WB50242; Fri, 26 Jan 2001 13:03:32 -0800 (PST) Message-Id: <200101262103.f0QL3WB50242@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdL50238; Fri Jan 26 13:03:17 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Dan Debertin Cc: cjclark@alum.mit.edu, David La Croix , "Scot W. Hetzel" , freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows in rpc.statd? In-reply-to: Your message of "Fri, 26 Jan 2001 11:51:53 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 26 Jan 2001 13:03:17 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dan Debertin writes: > On Fri, 26 Jan 2001, Crist J. Clark wrote: > > > > > I wanted to point out that you cannot really 'block' RPC services > > effectively with ipfw(8) rules. RPC services do not live on certain > > well-known ports[0]. The only way you can effectively block RPC > > services is with default deny rules. > > I've gotten around this in the past by putting 'rpcinfo -p | awk' commands > in rc.firewall, polling the portmapper on protected hosts and then > building firewall rules dynamically for them. It doesn't completely work, > because you have to flush & reload your rules when an NFS server bounces, > but for cases where that's "good enough", it does the job. This only works if the services you're protecting are running on the the firewall itself. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message