From owner-freebsd-isp Tue Jan 12 23:02:23 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA00684 for freebsd-isp-outgoing; Tue, 12 Jan 1999 23:02:23 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA00669 for ; Tue, 12 Jan 1999 23:02:21 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id CAA04249; Wed, 13 Jan 1999 02:00:27 -0500 (EST) Date: Wed, 13 Jan 1999 02:00:27 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: Rowan Crowe cc: Dale Walker , freebsd-isp@FreeBSD.ORG Subject: Re: Suggestions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While it's not noted in the manpage, someone pointed this out to me after I tried Wietse's 'secure portmap': oot@bigred[/usr/src/usr.sbin/ypserv]# more ../portmap/Makefile # @(#)Makefile 8.1 (Berkeley) 6/6/93 PROG= portmap MAN8= portmap.8 SRCS= portmap.c from_local.c pmap_check.c SUBDIR= pmap_set pmap_dump # -DHOSTS_ACCESS (requires tcpwrapper libraries) CFLAGS+=-DCHECK_PORT This allows you to restrict access if you have tcpwrappers installed. Looking at ypserv and nfsd and friends, I don't see similar access controls. Here I hard coded in the bind address for nfsd so that it only binds on the private network. Haven't had the guts to touch NIS yet though... Oddly enough I still see the machines try to talk to each other on the 'dirty' net, but they don't succeed. It would be very cool if there were access controls on all the "scary" services like yp and nfs. There's always ipfw, though. Charles --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." On Wed, 13 Jan 1999, Rowan Crowe wrote: > On Wed, 13 Jan 1999, Dale Walker wrote: > > > (posting back to the list in the hope that someone intimately familiar > with portmap and maybe NIS can help me with my understanding) > > > > >little nervous about running portmap as I see probes to port 111 quite > > >frequently, I can block external access to that using ipfw but I can't > > >block the ports that are assigned dynamically. > > > > > >Any ideas on how to get portmap to bind to a specific (non global) IP > > >only? > > > > > > > hmm... no I don't know hos to bind portmap to a specific interface....but, > > can't you block port 111 coming in at the router, and perhaps use xinetd or > > tcpwrappers on the actual ports used. aslo set the -R flag on inetd... > > My understanding of portmap is that it's a dynamic port mapping service. > Clients query a fixed query port (111) then get redirected to a > dynamically(?) assigned port to talk to the relevant server directly. > > Hmm, OTOH I just started ypserv on a second machine and it opened UDP port > 999, which is also open on the main ypserv machine... perhaps that's the > NIS port? 999 in /etc/services doesn't seem to indicate it is. Can anyone > help out with this, does ypserv _always_ listen on the same port? > > Anyway, I already have UDP/TCP 111 blocked at my border, but that doesn't > stop someone doing a port scan and finding out which port my ypserv > happens to be sitting on at the time - thus the need to bind to a single > interface only, that is not world reachable! > > Perhaps it's ypserv that needs to be hacked rather than portmap, if it's > opening the ports itself. > > The only reason for UDP packets arriving to my servers from external > sources should be port 53 and port 3130 (squid). I wonder if it's possible > to set up a paranoid firewall, along the lines of... > > 1000 allow udp from any to my_server_ip 53 in via iface > 1000 allow udp from my_server_ip to any 53 in via iface > 1000 allow udp from any 3130 to any 3130 in via iface # lazy, can be refined > 1010 deny log udp from any to any in via iface > > The only problem is that my servers have multiple interfaces, so I'd need > to set up quite a few rules per interface. Does ipfw have something along > the lines of "destination is a local ip on this machine" yet? eg: allow > udp from any to any_of_my_configured_ips. > > Another solution might be to block inbound UDP packets to ports 0-1023 > except for 53 and any other ports required to have external access. RPC > services seem to use ports <1024. Again is anyone able to confirm this? > > Cheers. > > > -- > Rowan Crowe Sensation Internet Services, Melbourne Aust > fidonet: 3:635/728 +61-3-9388-9260 > http://www.rowan.sensation.net.au/ http://www.sensation.net.au/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message