From owner-freebsd-security  Fri Jan 26 15:20: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ceasefire.bitstream.net (ceasefire.bitstream.net [216.243.128.220])
	by hub.freebsd.org (Postfix) with SMTP id 07ED737B401
	for <freebsd-security@FreeBSD.ORG>; Fri, 26 Jan 2001 15:19:50 -0800 (PST)
Received: (qmail 16918 invoked from network); 26 Jan 2001 23:19:49 -0000
Received: from unknown (HELO dmitri.bitstream.net) (216.243.132.33)
  by ceasefire with SMTP; 26 Jan 2001 23:19:49 -0000
Date: Fri, 26 Jan 2001 17:14:07 -0600 (CST)
From: Dan Debertin <airboss@bitstream.net>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc: <cjclark@alum.mit.edu>,
	David La Croix <dlacroix@cowpie.acm.vt.edu>,
	"Scot W. Hetzel" <hetzels@westbend.net>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: buffer overflows in rpc.statd?
In-Reply-To: <200101262103.f0QL3WB50242@cwsys.cwsent.com>
Message-ID: <Pine.LNX.4.30.0101261704330.18352-100000@dmitri.bitstream.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 26 Jan 2001, Cy Schubert - ITSD Open Systems Group wrote:
> >
> > I've gotten around this in the past by putting 'rpcinfo -p | awk' commands
> > in rc.firewall, polling the portmapper on protected hosts and then
> > building firewall rules dynamically for them. It doesn't completely work,
> > because you have to flush & reload your rules when an NFS server bounces,
> > but for cases where that's "good enough", it does the job.
>
> This only works if the services you're protecting are running on the
> the firewall itself.

Sorry, I should have been more explicit. Here is what I was talking about,
in specific terms. Works fine for generating rules referring to a remote
NFS server (pretend it's at 10.0.0.1):

UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $3}'|uniq`

ipfw add permit udp from 192.168.1.6 1024-65535 to 10.0.0.1 $UDPMOUNTD

(or whatever)

As I said, it's not that great an idea, in reality, but it works okay.

~Dan D.
--
++ Unix is the worst operating system, except for all others.

++ Dan Debertin
++ Senior Systems Administrator
++ Bitstream Underground, LLC
++ airboss@bitstream.net
++ (612)321-9290 x108
++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7  CAE4 BEF4 0A5C 300D 2387




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message