Re: nfsd support for tcp_wrapper -> General RPC solution

From: Dan Debertin (airboss@bitstream.net)
Date: 02/10/01 

Date: Fri, 9 Feb 2001 17:12:42 -0600 (CST)
From: Dan Debertin <airboss@bitstream.net>
To: Borja Marcos <borjamar@sarenet.es>

On Fri, 9 Feb 2001, Borja Marcos wrote:
>
> Yes, and what about having portmap set the right firewall
> rules to protect RPC services? Whenever a service registers itself
> to portmap, it puts firewall rules to block access to the port.
> That is what I am proposing!

I posted on this subject last month. You can trivially update your
firewall rules with the following set of pipes:

(assuming your NFS server is at 10.0.0.1, and the service you're looking
for is mountd)

UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq`

Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD:

# ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD

 Dan Debertin 

--
++ Unix is the worst operating system, except for all others.
++ Dan Debertin
++ Senior Systems Administrator
++ Bitstream Underground, LLC
++ airboss@bitstream.net
++ (612)321-9290 x108
++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7  CAE4 BEF4 0A5C 300D 2387
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message