Re: nfsd support for tcp_wrapper -> General RPC solution

From: Borja Marcos (borjamar@sarenet.es)
Date: 02/09/01 

Date: Fri, 09 Feb 2001 23:52:22 +0100
From: Borja Marcos <borjamar@sarenet.es>
To: freebsd-security@freebsd.org

Alfred Perlstein wrote:

> This is a really flawed idea.

        Humm. Yours is a flawed reading of my message? ;-)

> All portmap does is provide a name/version/protocol mapping of a
> service to a tcp/udp port. One can trivially do a portscan of
> a box running RPC services and figure out which are open. You
> don't need portmap to brute force finding out where a remote
> vulnerable service is located.

        But if portmap can set up the right rules for ipfw,
the brute force portscan will have no success. (read below)

>
> In fact because afaik NFS always uses a well known port, you really
> don't need portmap to map it, you just need to use the port,
> portmapper for NFS is just a formality.
>
> Ok, with that out of the window, we _could_ consider mucking userland
> mountd to use tcpwrappers to graft an ACL to what's in /etc/exports.
> This is also a bad idea, one can just brute force the NFS
> cookie/filehandle required to gain access, then contact the NFS
> port.
>
> The solution is to use a firewall.

        Yes, and what about having portmap set the right firewall
rules to protect RPC services? Whenever a service registers itself
to portmap, it puts firewall rules to block access to the port.
That is what I am proposing!

        Yes, NFS uses a fixed port, but not other RPC services.

        Borja.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: NFS Failover
    ... How do I check portmap is running on port 111? ... I would assume NFS wouldn't run first place (before failover to ... Do you have portmap (a.k.a. sunrpc) running on port 111? ...
    (linux.redhat)
  • Re: NFS Failover
    ... How do I check portmap is running on port 111? ... I would assume NFS wouldn't run first place (before failover to ... Do you have portmap (a.k.a. sunrpc) running on port 111? ...
    (linux.redhat)
  • Re: nfsd support for tcp_wrapper -> General RPC solution
    ... > and whenever portmap receives the RPC service registration from the ... > script passing it the port number where the service has registered. ... > and the overhead is minimal: only a call to the TCP Wrapper library ... In fact because afaik NFS always uses a well known port, ...
    (FreeBSD-Security)
  • Re: A firewall wont stop this one
    ... On top of that I implement IPF on each host ... >> for further access control to limit NFS, ... By restricting access to the NFS server. ... >> via port filtering that only allowed specific hosts rather than all. ...
    (alt.computer.security)
  • [PATCH] make NFS lockd port numbers assignable at run time
    ... When writing firewall rules, and you are serving NFS, it's really ... The fiddly one is lockd. ... This patch allows the port numbers and the other lockd parameters to ... +param_set_min_max(port, int, simple_strtol, 0, 65535) ...
    (Linux-Kernel)