[linux-security] Re: portmap vulnerability?

["Paul L. Schmidt" <pschmidt custom net>]

On 9 Dec 1998 R E Wolff BitWizard nl wrote:
> Christopher Lindsey wrote:
> > And of course if you must run portmap, use TCP wrappers to limit
> > it to a certain range of hosts.  Assuming that hosts.deny has
> 
> Actually, portmapper cannot run "behind" tcp wrappers. It opens
> its port and waits for connections. However, it seems that modern
> portmappers are linked with the library from tcpwrappers, so that
> it takes the same config files as the tcpwrappers do. Nifty!
> 
<-snip->
> > rpc.mountd can also be limited, but I don't know if that support
> > is in the default RedHat binaries.  You can always grab the source
> > from
> > 
> >    ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/

Another solution is to compile the kernel with IP firewalling and
do the filtering at the kernel level.  This solution will be port-
specific rather than application-specific, but it will work with
anything - whether or not it's wrapper-aware.

-ps
Paul Schmidt          <  ><               PSchmidt at Custom dot Net
Bloomfield, IN USA    Linux 2.0.36  web: viaduct.custom.net/pschmidt