From owner-freebsd-stable  Thu Jan 13  6:50:38 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP id F342515002
	for <freebsd-stable@freebsd.org>; Thu, 13 Jan 2000 06:50:09 -0800 (PST)
	(envelope-from dwmalone@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa13143@salmon>; 13 Jan 2000 14:49:47 +0000 (GMT)
Date: Thu, 13 Jan 2000 14:49:46 +0000
From: David Malone <dwmalone@maths.tcd.ie>
To: Brad Knowles <blk@skynet.be>
Cc: Gawel <gawel@sim.com.pl>,
	"freebsd-stable@FreeBSD.ORG" <freebsd-stable@FreeBSD.ORG>
Subject: Re: portmap
Message-ID: <20000113144946.A84064@walton.maths.tcd.ie>
References: <387DB3BB.8D85E624@sim.com.pl> <v0422080bb4a3701b5982@[195.238.1.121]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <v0422080bb4a3701b5982@[195.238.1.121]>; from blk@skynet.be on Thu, Jan 13, 2000 at 01:07:54PM +0100
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, Jan 13, 2000 at 01:07:54PM +0100, Brad Knowles wrote:

> 	My understanding is that portmap uses UDP, which TCP-Wrappers 
> doesn't protect.

tcpd has no problem protecting the first connection to UDP applications
run from inetd. TCP wait services are a problem though. Programs which
use libwrap directly don't have this restriction.

> 	You can get an improved version of portmap that makes explicit 
> use of wraplib (I'd suggest starting with Wietse Venema's version). 
> I'd go to <ftp://ftp.porcupine.org/> and start from there.

FreeBSD's portmapper uses libwrap and so should have all the access
controls Wietse's version has. (Infact, I think it uses his code).

In response to the original posers problem of not wanting to see the
log messages when connections are denied, one option would be to use
the "severity" option in hosts.allow to log the messages at a different
level/facility.

> 	Or you can make use of kernel-level firewalling to prevent anyone 
> from successfully getting packets through to a particular port on 
> your machine, unless you want to let them through.  Look at "man 
> ipfw" for starters.

This is probably a more general solution to unwanted connections though.

	David.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message