From owner-freebsd-isp Tue Jan 12 19:42:57 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA05300 for freebsd-isp-outgoing; Tue, 12 Jan 1999 19:42:57 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from velvet.sensation.net.au (serial0-velvet.Brunswick.sensation.net.au [203.20.114.195]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA05264 for ; Tue, 12 Jan 1999 19:42:51 -0800 (PST) (envelope-from rowan@sensation.net.au) Received: from localhost (rowan@localhost) by velvet.sensation.net.au (8.8.8/8.8.8) with SMTP id OAA06607; Wed, 13 Jan 1999 14:37:38 +1100 (EST) (envelope-from rowan@sensation.net.au) X-Authentication-Warning: velvet.sensation.net.au: rowan owned process doing -bs Date: Wed, 13 Jan 1999 14:37:36 +1100 (EST) From: Rowan Crowe To: Dale Walker cc: freebsd-isp@FreeBSD.ORG Subject: Re: Suggestions In-Reply-To: <017201be3e9c$10461040$06f725cb@sun1.icr.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Jan 1999, Dale Walker wrote: (posting back to the list in the hope that someone intimately familiar with portmap and maybe NIS can help me with my understanding) > >little nervous about running portmap as I see probes to port 111 quite > >frequently, I can block external access to that using ipfw but I can't > >block the ports that are assigned dynamically. > > > >Any ideas on how to get portmap to bind to a specific (non global) IP > >only? > > > > hmm... no I don't know hos to bind portmap to a specific interface....but, > can't you block port 111 coming in at the router, and perhaps use xinetd or > tcpwrappers on the actual ports used. aslo set the -R flag on inetd... My understanding of portmap is that it's a dynamic port mapping service. Clients query a fixed query port (111) then get redirected to a dynamically(?) assigned port to talk to the relevant server directly. Hmm, OTOH I just started ypserv on a second machine and it opened UDP port 999, which is also open on the main ypserv machine... perhaps that's the NIS port? 999 in /etc/services doesn't seem to indicate it is. Can anyone help out with this, does ypserv _always_ listen on the same port? Anyway, I already have UDP/TCP 111 blocked at my border, but that doesn't stop someone doing a port scan and finding out which port my ypserv happens to be sitting on at the time - thus the need to bind to a single interface only, that is not world reachable! Perhaps it's ypserv that needs to be hacked rather than portmap, if it's opening the ports itself. The only reason for UDP packets arriving to my servers from external sources should be port 53 and port 3130 (squid). I wonder if it's possible to set up a paranoid firewall, along the lines of... 1000 allow udp from any to my_server_ip 53 in via iface 1000 allow udp from my_server_ip to any 53 in via iface 1000 allow udp from any 3130 to any 3130 in via iface # lazy, can be refined 1010 deny log udp from any to any in via iface The only problem is that my servers have multiple interfaces, so I'd need to set up quite a few rules per interface. Does ipfw have something along the lines of "destination is a local ip on this machine" yet? eg: allow udp from any to any_of_my_configured_ips. Another solution might be to block inbound UDP packets to ports 0-1023 except for 53 and any other ports required to have external access. RPC services seem to use ports <1024. Again is anyone able to confirm this? Cheers. -- Rowan Crowe Sensation Internet Services, Melbourne Aust fidonet: 3:635/728 +61-3-9388-9260 http://www.rowan.sensation.net.au/ http://www.sensation.net.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message