Date: 22 Oct 2000 01:39:10 -0000 From: vladimir@math.uic.edu To: arg@arg1.demon.co.uk Cc: freebsd-stable@freebsd.org Subject: Re: ipfw advice needed Message-ID: <20001022013910.22462.qmail@math.uic.edu>
next in thread | raw e-mail | index | archive | help
>From arg@arg1.demon.co.uk Sun Oct 22 01:31:42 2000 >Delivered-To: vladimir@math.uic.edu >Date: Sun, 22 Oct 2000 02:29:03 +0100 (BST) >From: Andrew Gordon <arg@arg1.demon.co.uk> >X-Sender: arg@server.arg.sj.co.uk >To: vladimir@math.uic.edu >Cc: freebsd-stable@freebsd.org >Subject: Re: ipfw advice needed >MIME-Version: 1.0 > >On 21 Oct 2000 vladimir@math.uic.edu wrote: >> >> I am trying to setup ipfw rules to protect some >> of our crucial machines, including a file server. >> The system is 4.1.1-STABLE. So far I've been >> using access lists on the router, but would like >> to get some extra security on the machine itself. >> One thing got me confused: there is a couple of >> daemons that are listening on the ports not >> listed in /etc/services. For example, (lsof output): >> >> ypbind 128 root 5u IPv4 0xcefe2b60 0t0 TCP *:1022 (LISTEN) >> ... etc... >> >> ypbind listens on ports 1022, mountd on tcp port 1021, ypserv on tcp >> port 1023, statd on port 1020. What do I do with those? >> Are these ports officially assigned or are they arbitrarily selected >> by these daemons when they start and register with the portmapper? >> Is there a range of TCP ports that I should keep opened for >> incoming connections for these services to operate properly? > >They are arbitrarily selected when the daemons start. If you look at > > /usr/src/usr.sbin/ypbind/ypbind.c >or /usr/src/src/usr.sbin/rpc.statd/statd.c > >you will find near-identical code in their main() functions that includes: > > transp = svcudp_create(RPC_ANYSOCK); > transp = svctcp_create(RPC_ANYSOCK, 0, 0); Great. Thank you very much, this explains everything. > >where the RPC_ANYSOCK caused an arbitrary port to be assigned. If you >really want to control the port, it would be fairly easy to add a >command-line option for the port number, then create a socket, bind it to >that port number and pass it in place of RPC_ANYSOCK. > >I'm not sure why you really need this, however: if you're granting access >to NFS, closing off a few other ports that aren't in use for anything >particular doesn't seem a great increase in security. You are probably right, I was just being pedantic :-) Thanks a lot for your help! Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001022013910.22462.qmail>