Re: tcpwrapped rpcbind/portmap?

From: Vladimir Ivanov (VIvanov@tee.toshiba.de)
Date: 08/22/01


Message-ID: <3B836D63.34BE8621@tee.toshiba.de>
Date: Wed, 22 Aug 2001 10:29:23 +0200
From: Vladimir Ivanov <VIvanov@tee.toshiba.de>
To: focus-sun@securityfocus.com
Subject: Re: tcpwrapped rpcbind/portmap?


> Geoff Collis wrote:
>
> Regardless of the merits or otherwise I need to rpcbind to support the
>
> reading/writing files stored on a NetApp NFS file server. There may be
>
> better alternatives, but these are not going to work with the hardware
> we
> have.
>
> On Solaris 2.6 and 7 I would handle this scenario by installing
> ipfilter, to
> restrict access to the local subnet, and use the tcp-wrapped version
> of
> rpcbind to make sure RPC will only work with hosts on the local
> subnet.
> Mistakes happen so I prefer to have two level of *access restriction*
> rather
> than rely totally on the ipfilter rules. :-)
>
Moreover, when you use /etc/hosts.[allow,deny] you able to put them into
your Custom JumpStart environment (for example, using Jass security
toolkit), so every new workstation will have unified security profile
immediately after the installation.

This is also possible in case of IPFileter, of course, but it's much
better to have such ability from SUN instead of something unsupported
(although - good) from third party.

I have no idea, is it possible to configure SunScreen Lite during
JumpStart, but even if yes, I would prefer to have more traditional
"wrapped" solution.

-- 
Vladimir Ivanov                      
System Administrator                 E-Mail:  VIvanov@tee.toshiba.de
Toshiba Electronics Europe GmbH      Tel/Fax: +49-211-5296-297/386