Date: Wed, 13 Jan 1999 02:00:27 -0500 (EST) From: spork <spork@super-g.com> To: Rowan Crowe <rowan@sensation.net.au> Cc: Dale Walker <dale@icr.com.au>, freebsd-isp@FreeBSD.ORG Subject: Re: Suggestions Message-ID: <Pine.BSF.4.00.9901130154200.11131-100000@super-g.inch.com> In-Reply-To: <Pine.BSF.4.01.9901131415280.5647-100000@velvet.sensation.net. au>
next in thread | previous in thread | raw e-mail | index | archive | help
While it's not noted in the manpage, someone pointed this out to me after
I tried Wietse's 'secure portmap':
oot@bigred[/usr/src/usr.sbin/ypserv]# more ../portmap/Makefile
# @(#)Makefile 8.1 (Berkeley) 6/6/93
PROG= portmap
MAN8= portmap.8
SRCS= portmap.c from_local.c pmap_check.c
SUBDIR= pmap_set pmap_dump
# -DHOSTS_ACCESS (requires tcpwrapper libraries)
CFLAGS+=-DCHECK_PORT
This allows you to restrict access if you have tcpwrappers installed.
Looking at ypserv and nfsd and friends, I don't see similar access
controls. Here I hard coded in the bind address for nfsd so that it only
binds on the private network. Haven't had the guts to touch NIS yet
though... Oddly enough I still see the machines try to talk to each other
on the 'dirty' net, but they don't succeed.
It would be very cool if there were access controls on all the "scary"
services like yp and nfs. There's always ipfw, though.
Charles
---
Charles Sprickman
spork@super-g.com
---
"...there's no idea that's so good you can't
ruin it with a few well-placed idiots."
On Wed, 13 Jan 1999, Rowan Crowe wrote:
> On Wed, 13 Jan 1999, Dale Walker wrote:
>
>
> (posting back to the list in the hope that someone intimately familiar
> with portmap and maybe NIS can help me with my understanding)
>
>
> > >little nervous about running portmap as I see probes to port 111 quite
> > >frequently, I can block external access to that using ipfw but I can't
> > >block the ports that are assigned dynamically.
> > >
> > >Any ideas on how to get portmap to bind to a specific (non global) IP
> > >only?
> > >
> >
> > hmm... no I don't know hos to bind portmap to a specific interface....but,
> > can't you block port 111 coming in at the router, and perhaps use xinetd or
> > tcpwrappers on the actual ports used. aslo set the -R flag on inetd...
>
> My understanding of portmap is that it's a dynamic port mapping service.
> Clients query a fixed query port (111) then get redirected to a
> dynamically(?) assigned port to talk to the relevant server directly.
>
> Hmm, OTOH I just started ypserv on a second machine and it opened UDP port
> 999, which is also open on the main ypserv machine... perhaps that's the
> NIS port? 999 in /etc/services doesn't seem to indicate it is. Can anyone
> help out with this, does ypserv _always_ listen on the same port?
>
> Anyway, I already have UDP/TCP 111 blocked at my border, but that doesn't
> stop someone doing a port scan and finding out which port my ypserv
> happens to be sitting on at the time - thus the need to bind to a single
> interface only, that is not world reachable!
>
> Perhaps it's ypserv that needs to be hacked rather than portmap, if it's
> opening the ports itself.
>
> The only reason for UDP packets arriving to my servers from external
> sources should be port 53 and port 3130 (squid). I wonder if it's possible
> to set up a paranoid firewall, along the lines of...
>
> 1000 allow udp from any to my_server_ip 53 in via iface
> 1000 allow udp from my_server_ip to any 53 in via iface
> 1000 allow udp from any 3130 to any 3130 in via iface # lazy, can be refined
> 1010 deny log udp from any to any in via iface
>
> The only problem is that my servers have multiple interfaces, so I'd need
> to set up quite a few rules per interface. Does ipfw have something along
> the lines of "destination is a local ip on this machine" yet? eg: allow
> udp from any to any_of_my_configured_ips.
>
> Another solution might be to block inbound UDP packets to ports 0-1023
> except for 53 and any other ports required to have external access. RPC
> services seem to use ports <1024. Again is anyone able to confirm this?
>
> Cheers.
>
>
> --
> Rowan Crowe Sensation Internet Services, Melbourne Aust
> fidonet: 3:635/728 +61-3-9388-9260
> http://www.rowan.sensation.net.au/ http://www.sensation.net.au/
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9901130154200.11131-100000>