From owner-freebsd-security Fri Jan 26 9:57:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from barabas.bitstream.net (barabas.bitstream.net [216.243.128.159]) by hub.freebsd.org (Postfix) with SMTP id 82F1F37B400 for ; Fri, 26 Jan 2001 09:57:33 -0800 (PST) Received: (qmail 28281 invoked from network); 26 Jan 2001 17:57:32 -0000 Received: from unknown (HELO dmitri.bitstream.net) (216.243.132.33) by barabas with SMTP; 26 Jan 2001 17:57:32 -0000 Date: Fri, 26 Jan 2001 11:51:53 -0600 (CST) From: Dan Debertin To: Cc: David La Croix , "Scot W. Hetzel" , Subject: Re: buffer overflows in rpc.statd? In-Reply-To: <20010126095147.A66394@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 26 Jan 2001, Crist J. Clark wrote: > > I wanted to point out that you cannot really 'block' RPC services > effectively with ipfw(8) rules. RPC services do not live on certain > well-known ports[0]. The only way you can effectively block RPC > services is with default deny rules. I've gotten around this in the past by putting 'rpcinfo -p | awk' commands in rc.firewall, polling the portmapper on protected hosts and then building firewall rules dynamically for them. It doesn't completely work, because you have to flush & reload your rules when an NFS server bounces, but for cases where that's "good enough", it does the job. ~Dan D. -- ++ Unix is the worst operating system, except for all others. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 x108 ++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message