Date: Fri, 9 Feb 2001 17:12:42 -0600 (CST) From: Dan Debertin <airboss@bitstream.net> To: Borja Marcos <borjamar@sarenet.es> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <Pine.LNX.4.30.0102091657280.7608-100000@dmitri.bitstream.net> In-Reply-To: <3A8474A6.D5D0DCE9@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 9 Feb 2001, Borja Marcos wrote:
>
> Yes, and what about having portmap set the right firewall
> rules to protect RPC services? Whenever a service registers itself
> to portmap, it puts firewall rules to block access to the port.
> That is what I am proposing!
I posted on this subject last month. You can trivially update your
firewall rules with the following set of pipes:
(assuming your NFS server is at 10.0.0.1, and the service you're looking
for is mountd)
UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq`
Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD:
# ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD
Dan Debertin
--
++ Unix is the worst operating system, except for all others.
++ Dan Debertin
++ Senior Systems Administrator
++ Bitstream Underground, LLC
++ airboss@bitstream.net
++ (612)321-9290 x108
++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0102091657280.7608-100000>