Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 22 Oct 2000 02:29:03 +0100 (BST)
From:      Andrew Gordon <arg@arg1.demon.co.uk>
To:        vladimir@math.uic.edu
Cc:        freebsd-stable@freebsd.org
Subject:   Re: ipfw advice needed
Message-ID:  <Pine.BSF.4.21.0010212224590.18851-100000@server.arg.sj.co.uk>
In-Reply-To: <20001021182240.21355.qmail@math.uic.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 21 Oct 2000 vladimir@math.uic.edu wrote:
> 
> I am trying to setup ipfw rules to protect some
> of our crucial machines, including a file server.
> The system is 4.1.1-STABLE.    So far I've been
> using access lists on the router, but would like
> to get some extra security on the machine itself.
> One thing got me confused:  there is a couple of 
> daemons that are listening on the ports not
> listed in /etc/services.   For example, (lsof output):
> 
> ypbind      128   root    5u  IPv4 0xcefe2b60      0t0  TCP *:1022 (LISTEN)
> ... etc...
> 
> ypbind listens on ports 1022, mountd on tcp port 1021, ypserv on tcp
> port 1023, statd on port 1020.    What do I do with those?
> Are these ports officially assigned or are they arbitrarily selected
> by these daemons when they start and register with the portmapper?
> Is there a range of TCP ports that I should keep opened for 
> incoming connections for these services to operate properly?

They are arbitrarily selected when the daemons start.  If you look at

    /usr/src/usr.sbin/ypbind/ypbind.c
or  /usr/src/src/usr.sbin/rpc.statd/statd.c

you will find near-identical code in their main() functions that includes:

  transp = svcudp_create(RPC_ANYSOCK);
  transp = svctcp_create(RPC_ANYSOCK, 0, 0);

where the RPC_ANYSOCK caused an arbitrary port to be assigned.  If you
really want to control the port, it would be fairly easy to add a
command-line option for the port number, then create a socket, bind it to
that port number and pass it in place of RPC_ANYSOCK.

I'm not sure why you really need this, however: if you're granting access
to NFS, closing off a few other ports that aren't in use for anything
particular doesn't seem a great increase in security.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010212224590.18851-100000>