Re: nfsd support for tcp_wrapper -> General RPC solution

From: Crist J. Clark (cjclark@reflexnet.net)
Date: 02/11/01 

Date: Sat, 10 Feb 2001 18:17:04 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Dan Debertin <airboss@bitstream.net>

On Fri, Feb 09, 2001 at 05:12:42PM -0600, Dan Debertin wrote:
> On Fri, 9 Feb 2001, Borja Marcos wrote:
> >
> > Yes, and what about having portmap set the right firewall
> > rules to protect RPC services? Whenever a service registers itself
> > to portmap, it puts firewall rules to block access to the port.
> > That is what I am proposing!
>
> I posted on this subject last month. You can trivially update your
> firewall rules with the following set of pipes:
>
> (assuming your NFS server is at 10.0.0.1, and the service you're looking
> for is mountd)
>
> UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq`
>
> Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD:
>
> # ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD

This is, of course, backwards, you should have,

  # ipfw add pass udp from $INTERNAL_NET to 10.0.0.1 $UDPMOUNTD

And deny by default. :) 

-- 
Crist J. Clark                           cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message