Date: Tue, 9 Oct 2001 03:40:32 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Jonas Sonntag <js@jonsonn.de> Cc: Jonathan Chen <jonathan.chen@itouch.co.nz>, freebsd-questions@FreeBSD.ORG Subject: Re: rpc.statd: invalid hostname to sm_stat: ^X?y?.... + IPFW questions Message-ID: <20011009034032.K350@blossom.cjclark.org> In-Reply-To: <KIEEILJCLAIJNFGECHJOMEOACBAA.js@jonsonn.de>; from js@jonsonn.de on Tue, Oct 09, 2001 at 11:24:18AM %2B0200 References: <20011009144605.B4925@jonc.itouch> <KIEEILJCLAIJNFGECHJOMEOACBAA.js@jonsonn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 09, 2001 at 11:24:18AM +0200, Jonas Sonntag wrote:
> > Some script kiddie is attempting to overflow your portmapper. Why have
> > you got it running attached to the 'Net?
>
> i thought it to be closed !?
I don't see a rule for it. Do you? Where is rpc.statd's port blocked?
> this is my current ipfw config where rl0 is the outside interface and xl0
> connects the lan:
>
> 00100 3281039 2395988201 divert 8668 ip from any to any via rl0
> 00200 5418 235058 allow ip from any to any via lo0
> 00300 12328087 9850315840 allow ip from any to any via xl0
> 00400 2 96 deny tcp from any to me 25 via rl0 setup
> 00500 0 0 deny tcp from any to me 53 via rl0 setup
> 00600 2 96 deny tcp from any to me 110 via rl0 setup
> 00700 10 600 deny tcp from any to me 111 via rl0 setup
> 00800 8 384 deny tcp from any to me 139 via rl0 setup
> 00900 0 0 deny tcp from any to me 587 via rl0 setup
> 01000 3280075 2395948580 allow ip from any to any via rl0
> 65535 490 312763 deny ip from any to any
>
> should i change rules for 111? or is there other ports the portmapper uses?
You don't actually need to consult the portmapper to use an RPC
service. You can guess or brute force at what port a given service is
listening on.
> btw, i'd like to use this config for the rl0 interface:
Right, this is in the right direction. You want to explicitly pass
what you allow and deny all else by default.
> $fwcmd add allow all from 192.168.0.0/24 to any via rl0
This rule doesn't make a lot of sense if it is coming after your
divert(4) rule (which I assume it is?). All traffic leaving your LAN
has already had the source address NAT'ed when this rule is hit.
> $fwcmd add allow tcp from any to me 1-65535 established via rl0
I don't really understand the point of explicitly telling it to pass
all possible port numbers.
> $fwcmd add allow tcp from any to me 21 setup via rl0
> $fwcmd add allow tcp from any to me 22 setup via rl0
> $fwcmd add allow tcp from any to me 80 setup via rl0
> $fwcmd add allow icmp from any to any
> $fwcmd add deny log ip from any to any
I don't see a rule that ever passes anything leaving the system. In
addition, for the same reason NAT'ed traffic leaving your system will
never match that first rule, NAT'ed traffic entering on rl0 will never
match any of these.
> but when i activate this set of rules, syslog keeps saying:
>
> natd[182]: failed to write packet back (Permission denied)
> last message repeated 87 times
>
> ...and so on and the lan is disconnectet from the internet until i
> reload with the *deny-some-ports-and-allow-the-rest-config*
Which would be expected from these rules.
--
Crist J. Clark cjclark@alum.mit.edu
cjclark@jhu.edu
cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009034032.K350>