From owner-freebsd-questions Tue Oct 9 3:40:43 2001 Delivered-To: freebsd-questions@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id BD66E37B406 for ; Tue, 9 Oct 2001 03:40:37 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.139.131.Dial1.SanJose1.Level3.net [209.247.139.131]) by robin.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f99AeYc06563; Tue, 9 Oct 2001 03:40:35 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f99AeWX09211; Tue, 9 Oct 2001 03:40:32 -0700 (PDT) (envelope-from cjc) Date: Tue, 9 Oct 2001 03:40:32 -0700 From: "Crist J. Clark" To: Jonas Sonntag Cc: Jonathan Chen , freebsd-questions@FreeBSD.ORG Subject: Re: rpc.statd: invalid hostname to sm_stat: ^X?y?.... + IPFW questions Message-ID: <20011009034032.K350@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011009144605.B4925@jonc.itouch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from js@jonsonn.de on Tue, Oct 09, 2001 at 11:24:18AM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Oct 09, 2001 at 11:24:18AM +0200, Jonas Sonntag wrote: > > Some script kiddie is attempting to overflow your portmapper. Why have > > you got it running attached to the 'Net? > > i thought it to be closed !? I don't see a rule for it. Do you? Where is rpc.statd's port blocked? > this is my current ipfw config where rl0 is the outside interface and xl0 > connects the lan: > > 00100 3281039 2395988201 divert 8668 ip from any to any via rl0 > 00200 5418 235058 allow ip from any to any via lo0 > 00300 12328087 9850315840 allow ip from any to any via xl0 > 00400 2 96 deny tcp from any to me 25 via rl0 setup > 00500 0 0 deny tcp from any to me 53 via rl0 setup > 00600 2 96 deny tcp from any to me 110 via rl0 setup > 00700 10 600 deny tcp from any to me 111 via rl0 setup > 00800 8 384 deny tcp from any to me 139 via rl0 setup > 00900 0 0 deny tcp from any to me 587 via rl0 setup > 01000 3280075 2395948580 allow ip from any to any via rl0 > 65535 490 312763 deny ip from any to any > > should i change rules for 111? or is there other ports the portmapper uses? You don't actually need to consult the portmapper to use an RPC service. You can guess or brute force at what port a given service is listening on. > btw, i'd like to use this config for the rl0 interface: Right, this is in the right direction. You want to explicitly pass what you allow and deny all else by default. > $fwcmd add allow all from 192.168.0.0/24 to any via rl0 This rule doesn't make a lot of sense if it is coming after your divert(4) rule (which I assume it is?). All traffic leaving your LAN has already had the source address NAT'ed when this rule is hit. > $fwcmd add allow tcp from any to me 1-65535 established via rl0 I don't really understand the point of explicitly telling it to pass all possible port numbers. > $fwcmd add allow tcp from any to me 21 setup via rl0 > $fwcmd add allow tcp from any to me 22 setup via rl0 > $fwcmd add allow tcp from any to me 80 setup via rl0 > $fwcmd add allow icmp from any to any > $fwcmd add deny log ip from any to any I don't see a rule that ever passes anything leaving the system. In addition, for the same reason NAT'ed traffic leaving your system will never match that first rule, NAT'ed traffic entering on rl0 will never match any of these. > but when i activate this set of rules, syslog keeps saying: > > natd[182]: failed to write packet back (Permission denied) > last message repeated 87 times > > ...and so on and the lan is disconnectet from the internet until i > reload with the *deny-some-ports-and-allow-the-rest-config* Which would be expected from these rules. -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message