From owner-freebsd-net@FreeBSD.ORG Tue Sep 26 21:28:14 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83FC916A403 for ; Tue, 26 Sep 2006 21:28:14 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from sccmmhc91.asp.att.net (sccmmhc91.asp.att.net [204.127.203.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08B5643D49 for ; Tue, 26 Sep 2006 21:28:13 +0000 (GMT) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net ([12.207.12.9]) by sccmmhc91.asp.att.net (sccmmhc91) with ESMTP id <20060926212811m9100sldc7e>; Tue, 26 Sep 2006 21:28:11 +0000 Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.8/8.13.8) with ESMTP id k8QLRxXu053488; Tue, 26 Sep 2006 16:28:00 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.8/8.13.8/Submit) id k8QLRrS2053487; Tue, 26 Sep 2006 16:27:53 -0500 (CDT) (envelope-from brooks) Date: Tue, 26 Sep 2006 16:27:52 -0500 From: Brooks Davis To: John Polstra Message-ID: <20060926212751.GA53219@lor.one-eyed-alien.net> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Cc: Danny Braniss , freebsd-net@freebsd.org Subject: Re: IPMI & portrange X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 21:28:14 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 26, 2006 at 01:53:44PM -0700, John Polstra wrote: > On 26-Sep-2006 Danny Braniss wrote: > > This keeps bitting me every other upgrade, IPMI on some > > hosts, if enabled, will steal packets to port 623 or 664, so > > the current solution is either set net.inet.ip.portrange.lowlast > > to 664, (for some reason this does not seem to work if done via > > loader.conf) or change it in sys/netinet/in.h. > >=20 > > So, is there some way to blacklist some ports, instead > > of increasing portrange.lowlast? >=20 > You could use your favorite scripting language to create a socket, > bind it to the port, listen on it, and just sit there doing nothing > -- for each port you want to blacklist. That would keep the ports > from being used by anything else. Extending the internal service functionality of inetd might be a good approach for this sort of thing. The current method of service matching based on port and protocol could be augmented with the ability to connect arbitrary "internal" services to arbitrary ports, perhaps via arguments to the "internal" command. Then you could hook discard to ports you don't want to use. -- Brooks --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFGZtXXY6L6fI4GtQRAlIsAKDUuhz58u+zLBAjBIaEcyu/lr/4qwCffAQK d2ZamQ29W0JMoS1cbhnbEis= =OXNX -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--