Date: Tue, 19 Apr 2005 11:57:21 -0700 From: Sandy Rutherford <sandy@krvarr.bc.ca> To: FreeBSD mailinglist <freebsd-questions@freebsd.org> Cc: Florian Hengstberger <e0025265@student.tuwien.ac.at> Subject: Re: which interface: mountd,rpcbind Message-ID: <16997.21649.545909.615696@szamoca.krvarr.bc.ca> In-Reply-To: <20050419153556.GA60313@epia2.farid-hajji.net> References: <if1ro5.icuujw@webmail.tuwien.ac.at> <44ekd8z0xb.fsf@be-well.ilk.org> <20050419153556.GA60313@epia2.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> On Tue, 19 Apr 2005 17:35:56 +0200, >>>>> cpghost@cordula.ws said: > On Mon, Apr 18, 2005 at 09:09:36AM -0400, Lowell Gilbert wrote: >> "Florian Hengstberger" <e0025265@student.tuwien.ac.at> writes: >> >> > Hi! >> > I really worry about that it seems (man mountd, man rpcbind) >> > impossible to specifiy the interface these daemons bind to. > I've had exactly the same problem a while ago! The important thing > here, is that nfsd doesn't bind to INADDR_ANY. The other daemons > are still potentially vulnerable to other kinds of attacks though, > but it would be extremely difficult to inject NFS RPCs into this > system from an external interface. > I wished rpcbind and mountd (and rpc.lockd and rpc.statd!) could be > configured to listen on a specific interface. As long as that is not > implemented, you should really use pf or another packet filter on your > external interface, to protect NFS. In addition, tcpwrappers can be used to further protect NFS. Sandy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16997.21649.545909.615696>