From owner-freebsd-stable Mon Jun 14 14:13:47 1999 Delivered-To: freebsd-stable@freebsd.org Received: from noao.edu (noao.edu [140.252.1.54]) by hub.freebsd.org (Postfix) with ESMTP id D600A15228 for ; Mon, 14 Jun 1999 14:13:32 -0700 (PDT) (envelope-from grandi@noao.edu) Received: from mirfak.tuc.noao.edu (IDENT:grandi@mirfak.tuc.noao.edu [140.252.1.9]) by noao.edu (8.9.3/8.8.8/SAG-14Jan99) with ESMTP id OAA08148; Mon, 14 Jun 1999 14:13:26 -0700 (MST) (envelope-from grandi@noao.edu) Date: Mon, 14 Jun 1999 14:13:26 -0700 (MST) From: Steve Grandi X-Sender: grandi@mirfak.tuc.noao.edu To: Matthew Seaman Cc: obrien@NUXI.com, freebsd-stable@FreeBSD.ORG Subject: Re: amd and /etc/hosts.allow In-Reply-To: <3764D713.5D8322EE@inpharmatica.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've done lots of experiments today and discovered little: I think most of my problems with amd and mount_nfs have to do with NFS quirks between inhomogeneous operating systems and less (if anything) to do with portmap and tcp_wrappers. If I come up with something solid, I will post again. In other words, never mind! I have verified Mathew's point about portmap and numerical entries in /etc/hosts.access. I used spray as an easy test. ALL : .noao.edu : allow was not sufficient to allow portmap access, while ALL : 140.252. : allow works fine. Steve Grandi On Mon, 14 Jun 1999, Matthew Seaman wrote: > Steve Grandi wrote: > > > The portion of /etc/hosts.allow that refers to portmap sure appears to me > > to be sufficient to let local hosts in: > > > > # Portmapper is used for all RPC services; protect your NFS! > > #portmap : localhost : allow > > #portmap : .noao.edu : allow > > #portmap : .evil.cracker.example.com : deny > > portmap : ALL : allow > > > > Any thoughts? The next time I can play with this system, I will start > > portmap with -v to see if any log entries are interesting. > > The common experience on other Unices using portmap+tcp_wrappers is that you > can only use the keyword "ALL" or IP address/mask pairs to protect portmap -- > not host or domain names or NIS netgroups. This is documented in the README > that comes with the original Wietse Venema portmap_5beta code, on which I > believe FreeBSD portmap is based: > > ftp://ftp.porcupine.org/pub/security/portmap_5beta.tar.gz Steve Grandi, National Optical Astronomy Observatories/AURA Inc., Tucson AZ USA Internet: grandi@noao.edu Voice: +1 520 318-8228 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message