Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Sep 2006 16:27:52 -0500
From:      Brooks Davis <brooks@one-eyed-alien.net>
To:        John Polstra <jdp@polstra.com>
Cc:        Danny Braniss <danny@cs.huji.ac.il>, freebsd-net@freebsd.org
Subject:   Re: IPMI & portrange
Message-ID:  <20060926212751.GA53219@lor.one-eyed-alien.net>
In-Reply-To: <XFMail.20060926135344.jdp@polstra.com>
References:  <E1GS7Rr-0006b7-EH@cs1.cs.huji.ac.il> <XFMail.20060926135344.jdp@polstra.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 26, 2006 at 01:53:44PM -0700, John Polstra wrote:
> On 26-Sep-2006 Danny Braniss wrote:
> >       This keeps bitting me every other upgrade, IPMI on some
> > hosts, if enabled, will steal packets to port 623 or 664, so
> > the current solution is either set net.inet.ip.portrange.lowlast
> > to 664, (for some reason this does not seem to work if done via
> > loader.conf) or change it in sys/netinet/in.h.
> >=20
> >       So, is there some way to blacklist some ports, instead
> > of increasing portrange.lowlast?
>=20
> You could use your favorite scripting language to create a socket,
> bind it to the port, listen on it, and just sit there doing nothing
> -- for each port you want to blacklist.  That would keep the ports
> from being used by anything else.

Extending the internal service functionality of inetd might be a good
approach for this sort of thing.  The current method of service matching
based on port and protocol could be augmented with the ability to
connect arbitrary "internal" services to arbitrary ports, perhaps via
arguments to the "internal" command.  Then you could hook discard to
ports you don't want to use.

-- Brooks

--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFGZtXXY6L6fI4GtQRAlIsAKDUuhz58u+zLBAjBIaEcyu/lr/4qwCffAQK
d2ZamQ29W0JMoS1cbhnbEis=
=OXNX
-----END PGP SIGNATURE-----

--J2SCkAp4GZ/dPZZf--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060926212751.GA53219>