[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: portmap vulnerability?
- From: "Paul L. Schmidt" <pschmidt custom net>
- To: BigJason tamu edu, linux-security redhat com
- Subject: [linux-security] Re: portmap vulnerability?
- Date: Wed, 9 Dec 1998 16:12:10 -0500 (EST)
On 9 Dec 1998 BigJason tamu edu wrote:
> Does anyone know what ports to restrict? I tried doing the below
> as part of a script, but the NFS mount on $B stops working.
> Any ideas? I wish I could find a list of ports for each service,
> especially the RPC based ones.
>
> A="192.168.1.1"
> B="192.161.1.2"
>
> # Deny NFS to everyone
> $IPFWADM -I -a deny -P udp -D $A 111
> $IPFWADM -I -a deny -P udp -D $A 635
> $IPFWADM -I -a deny -P udp -D $A 2049
> $IPFWADM -I -a deny -P tcp -D $A 111
> $IPFWADM -I -a deny -P tcp -D $A 635
>
> # Only allow B to mount NFS shares
> $IPFWADM -I -a accept -P udp -S $B -D $A 111
> $IPFWADM -I -a accept -P udp -S $B -D $A 635
> $IPFWADM -I -a accept -P udp -S $B -D $A 2049
> $IPFWADM -I -a accept -P tcp -S $B -D $A 111
> $IPFWADM -I -a accept -P tcp -S $B -D $A 635
The -a command in ipfwadm adds the rule to the end of the
list. Since the firewalling code exits (whether pass or
fail) on the first rule that matches, the 'deny to everyone'
locked out the desired host. You need the host-by-host
allow entries to be before the deny entries.
At my office ({something}.mil) I block outside UDP to any ports
below 1024 (Except on the name server, which allows 53, of
course). This is in addition to most of my boxes being behind
both a firewall and a filtering router. Similarly, all of my
boxes except a very few specifically allowed to be accessed from
the outside (with OPIE passwords, etc - not straight telnet!) are
blocked for all privileged (low-numbered) port TCP accesses, and
the rest are blocked for non-essential privileged ports.
Yes, I *am* paranoid. Getting hacked is too much paperwork.
(By outside access, I mean access from any address not within the
office network - including other addresses on the installation,
which are outside of my office's filtering router but still within
the installation's firewall. I told you, I'm paranoid.)
-ps
--
Paul Schmidt < >< PSchmidt at Custom dot Net
Bloomfield, IN USA Linux 2.0.36 web: viaduct.custom.net/pschmidt
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]