Re: assimilating OpenBSD
On Thu, Feb 08, 2001 at 02:08:11PM +1100, Craig Sanders wrote:
> On Wed, Feb 07, 2001 at 07:49:00AM -0500, Michael Stone wrote:
> > On Wed, Feb 07, 2001 at 01:23:57PM +1100, Craig Sanders wrote:
> > > portmap is not a security problem in debian by default because it
> > > does not accept connections from anywhere except localhost until you
> > > configure it to do so. you have to specifically allow connections
> > > from particular IP addresses (not hostnames) in /etc/hosts.allow.
> >
> > Hmm. I've never seen the default hosts.deny block the whole world
> > from connecting to portmap. Are you sure you didn't add such a line
> > yourself?
>
> absolutely sure. quite the contrary in fact...i had to add my own
> networks to the portmap line in hosts.allow in order to allow them to
> connect.
>
> RTFM.
>
> /usr/share/doc/portmap/portmapper.txt.gz
>
> it has worked like this for years.
>
> even if there is no portmap line in hosts.allow, it's still secure. by
> default, debian's portmapper will reject any connection UNLESS it is
> specifically allowed in hosts.allow. i.e. portmap's default policy = deny.
[sorry to beat on a dead horse, but I'm behind on -devel]
Huh? I have a nice clean sid installation here, ALL: PARANOID in
hosts.deny, and nothing in in hosts.allow. rpc.statd allows
connections from any host.
What do yours look like?
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
Reply to: