Date: Sat, 10 Feb 2001 18:17:04 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Dan Debertin <airboss@bitstream.net> Cc: Borja Marcos <borjamar@sarenet.es>, "freebsd-security@freebsd.org" <freebsd-security@FreeBSD.ORG> Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010210181703.A62368@rfx-216-196-73-168.users.reflex> In-Reply-To: <Pine.LNX.4.30.0102091657280.7608-100000@dmitri.bitstream.net>; from airboss@bitstream.net on Fri, Feb 09, 2001 at 05:12:42PM -0600 References: <3A8474A6.D5D0DCE9@sarenet.es> <Pine.LNX.4.30.0102091657280.7608-100000@dmitri.bitstream.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 09, 2001 at 05:12:42PM -0600, Dan Debertin wrote:
> On Fri, 9 Feb 2001, Borja Marcos wrote:
> >
> > Yes, and what about having portmap set the right firewall
> > rules to protect RPC services? Whenever a service registers itself
> > to portmap, it puts firewall rules to block access to the port.
> > That is what I am proposing!
>
> I posted on this subject last month. You can trivially update your
> firewall rules with the following set of pipes:
>
> (assuming your NFS server is at 10.0.0.1, and the service you're looking
> for is mountd)
>
> UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq`
>
> Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD:
>
> # ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD
This is, of course, backwards, you should have,
# ipfw add pass udp from $INTERNAL_NET to 10.0.0.1 $UDPMOUNTD
And deny by default. :)
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010210181703.A62368>