From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 10:21:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 397C537B401 for ; Wed, 30 Jul 2003 10:21:45 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 25FF043F85 for ; Wed, 30 Jul 2003 10:21:44 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 89227 invoked from network); 30 Jul 2003 17:19:05 -0000 Received: from unknown (HELO HOST-192-168-17-31.internal.secureworks.net) (209.101.212.253) by mail.secureworks.net with SMTP; 30 Jul 2003 17:19:05 -0000 Date: Wed, 30 Jul 2003 13:21:43 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: security@freebsd.org Message-ID: <20030730130919.E40074@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: portmap, bind(), and NIS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 17:21:45 -0000 Greetings I'm running an NIS server that I would very much *not* want to be accessible on some of its interfaces. portmap can be instructed to bind to specific addresses using the -h flag, but this seems to break ypbind. ypbind will attempt to find a server by issuing a broadcast rpc request to the local network. When portmap is not bound to INADDR_ANY, it will not reply to these requests. I'd rather not have to run ypset on clients where this condition exists with their local NIS servers, and I'd really like to not have portmap bound on certain interfaces. I could filter it of course, but I was hoping someone had another option that they were aware of ... TIA -- Matthew George SecureWorks Technical Operations