[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: installing TCP programs when RPC programs are running

* Loïc Minier:

> Florian Weimer <fw@deneb.enyo.de> - Thu, Oct 07, 2004:
>
>> I think the best option would be to allow the system administrator to
>> statically allocate the ports used by RPC programs.  This would help
>> packet filters, too.
>
>  While I see the benefit of your suggestion, for packet filters, I don't
>  see how that would help average people experiencing the problem?  Would
>  you require the admin to configure each port for each RPC service as it
>  is installed?

Maybe there could be defaults for the most common ones?  I'm not sure.

The libc routines could also read /etc/services and skip ports listed
there.  There should still be enough remaining ports.

>  (BTW, I used to call rpcinfo -p to setup my iptables rules dynamically,
>  but that does not cover service restarts very well, something like a
>  rpc_conntrack would be better, and it seemed to exist too)

One school of though in network security is that you don't have
intelligent firewalls, based on the assumption that parsing complex
protocols on firewall components is likely to make the firewall
vulnerable to the same attacks as the application to be protected by
the firewall.  Static port assignments would be quite beneficial.
Reply to: