From owner-freebsd-security  Fri Jan 26 13: 6:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 015E837B401
	for <freebsd-security@FreeBSD.ORG>; Fri, 26 Jan 2001 13:05:57 -0800 (PST)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA14438;
	Fri, 26 Jan 2001 13:04:28 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda14436; Fri Jan 26 13:04:14 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0QL3uj87826;
	Fri, 26 Jan 2001 13:03:56 -0800 (PST)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdG87820; Fri Jan 26 13:03:33 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.2/8.9.1) id f0QL3WB50242;
	Fri, 26 Jan 2001 13:03:32 -0800 (PST)
Message-Id: <200101262103.f0QL3WB50242@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdL50238; Fri Jan 26 13:03:17 2001
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: schubert
To: Dan Debertin <airboss@bitstream.net>
Cc: cjclark@alum.mit.edu,
	David La Croix <dlacroix@cowpie.acm.vt.edu>,
	"Scot W. Hetzel" <hetzels@westbend.net>, freebsd-security@FreeBSD.ORG
Subject: Re: buffer overflows in rpc.statd? 
In-reply-to: Your message of "Fri, 26 Jan 2001 11:51:53 CST."
             <Pine.LNX.4.30.0101261148270.18352-100000@dmitri.bitstream.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 26 Jan 2001 13:03:17 -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.LNX.4.30.0101261148270.18352-100000@dmitri.bitstream.ne
t>, Dan
 Debertin writes:
> On Fri, 26 Jan 2001, Crist J. Clark wrote:
> 
> >
> > I wanted to point out that you cannot really 'block' RPC services
> > effectively with ipfw(8) rules. RPC services do not live on certain
> > well-known ports[0]. The only way you can effectively block RPC
> > services is with default deny rules.
> 
> I've gotten around this in the past by putting 'rpcinfo -p | awk' commands
> in rc.firewall, polling the portmapper on protected hosts and then
> building firewall rules dynamically for them. It doesn't completely work,
> because you have to flush & reload your rules when an NFS server bounces,
> but for cases where that's "good enough", it does the job.

This only works if the services you're protecting are running on the 
the firewall itself.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message