Date: Fri, 26 Jan 2001 13:03:17 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Dan Debertin <airboss@bitstream.net> Cc: cjclark@alum.mit.edu, David La Croix <dlacroix@cowpie.acm.vt.edu>, "Scot W. Hetzel" <hetzels@westbend.net>, freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows in rpc.statd? Message-ID: <200101262103.f0QL3WB50242@cwsys.cwsent.com> In-Reply-To: Your message of "Fri, 26 Jan 2001 11:51:53 CST." <Pine.LNX.4.30.0101261148270.18352-100000@dmitri.bitstream.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.LNX.4.30.0101261148270.18352-100000@dmitri.bitstream.ne t>, Dan Debertin writes: > On Fri, 26 Jan 2001, Crist J. Clark wrote: > > > > > I wanted to point out that you cannot really 'block' RPC services > > effectively with ipfw(8) rules. RPC services do not live on certain > > well-known ports[0]. The only way you can effectively block RPC > > services is with default deny rules. > > I've gotten around this in the past by putting 'rpcinfo -p | awk' commands > in rc.firewall, polling the portmapper on protected hosts and then > building firewall rules dynamically for them. It doesn't completely work, > because you have to flush & reload your rules when an NFS server bounces, > but for cases where that's "good enough", it does the job. This only works if the services you're protecting are running on the the firewall itself. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101262103.f0QL3WB50242>