Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Jun 1999 14:13:26 -0700 (MST)
From:      Steve Grandi <grandi@noao.edu>
To:        Matthew Seaman <m.seaman@inpharmatica.co.uk>
Cc:        obrien@NUXI.com, freebsd-stable@FreeBSD.ORG
Subject:   Re: amd and /etc/hosts.allow
Message-ID:  <Pine.LNX.4.10.9906141352010.1504-100000@mirfak.tuc.noao.edu>
In-Reply-To: <3764D713.5D8322EE@inpharmatica.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
I've done lots of experiments today and discovered little:  I think most
of my problems with amd and mount_nfs have to do with NFS quirks between
inhomogeneous operating systems and less (if anything) to do with portmap
and tcp_wrappers.  If I come up with something solid, I will post again.
In other words, never mind!

I have verified Mathew's point about portmap and numerical entries in
/etc/hosts.access. I used spray as an easy test.

ALL : .noao.edu : allow

was not sufficient to allow portmap access, while

ALL : 140.252. : allow

works fine.


Steve Grandi

On Mon, 14 Jun 1999, Matthew Seaman wrote:

> Steve Grandi wrote:
> 
> > The portion of /etc/hosts.allow that refers to portmap sure appears to me
> > to be sufficient to let local hosts in:
> > 
> > # Portmapper is used for all RPC services; protect your NFS!
> > #portmap : localhost : allow
> > #portmap : .noao.edu : allow
> > #portmap : .evil.cracker.example.com : deny
> > portmap : ALL : allow
> > 
> > Any thoughts?  The next time I can play with this system, I will start
> > portmap with -v to see if any log entries are interesting.
> 
> The common experience on other Unices using portmap+tcp_wrappers is that you
> can only use the keyword "ALL" or IP address/mask pairs to protect portmap --
> not host or domain names or NIS netgroups.  This is documented in the README
> that comes with the original Wietse Venema portmap_5beta code, on which I
> believe FreeBSD portmap is based: 
> 
> ftp://ftp.porcupine.org/pub/security/portmap_5beta.tar.gz

Steve Grandi, National Optical Astronomy Observatories/AURA Inc., Tucson AZ USA
Internet: grandi@noao.edu  Voice: +1 520 318-8228



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.9906141352010.1504-100000>