Date: Fri, 9 Feb 2001 14:56:02 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: Borja Marcos <borjamar@sarenet.es> Cc: freebsd-security@FreeBSD.ORG Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010209145602.T26076@fw.wintelcom.net> In-Reply-To: <3A8474A6.D5D0DCE9@sarenet.es>; from borjamar@sarenet.es on Fri, Feb 09, 2001 at 11:52:22PM %2B0100 References: <Pine.BSF.4.33.0102091125000.59792-100000@deneb.dbai.tuwien.ac.at> <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net> <3A8474A6.D5D0DCE9@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
* Borja Marcos <borjamar@sarenet.es> [010209 14:52] wrote: > Alfred Perlstein wrote: > > > This is a really flawed idea. > > Humm. Yours is a flawed reading of my message? ;-) You're right. :) > > > > In fact because afaik NFS always uses a well known port, you really > > don't need portmap to map it, you just need to use the port, > > portmapper for NFS is just a formality. > > > > Ok, with that out of the window, we _could_ consider mucking userland > > mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. > > This is also a bad idea, one can just brute force the NFS > > cookie/filehandle required to gain access, then contact the NFS > > port. > > > > The solution is to use a firewall. > > Yes, and what about having portmap set the right firewall > rules to protect RPC services? Whenever a service registers itself > to portmap, it puts firewall rules to block access to the port. > That is what I am proposing! > > Yes, NFS uses a fixed port, but not other RPC services. Well, using a firewall would work fine, but relying on obfuscation by just hiding portmap won't. That's where I misread what you said, I thought you only meant to firewall portmap, but if you can add hooks to portmap to run ipfw rules... that would interesting. :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010209145602.T26076>