[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: installing TCP programs when RPC programs are running

Florian Weimer <fw@deneb.enyo.de> - Sun, Oct 10, 2004:

> >  While I see the benefit of your suggestion, for packet filters, I don't
> >  see how that would help average people experiencing the problem?  Would
> >  you require the admin to configure each port for each RPC service as it
> >  is installed?
> Maybe there could be defaults for the most common ones?  I'm not sure.
> The libc routines could also read /etc/services and skip ports listed
> there.  There should still be enough remaining ports.

 Good ideas, I don't know if they'll be accepted, but I will report

> >  (BTW, I used to call rpcinfo -p to setup my iptables rules dynamically,
> >  but that does not cover service restarts very well, something like a
> >  rpc_conntrack would be better, and it seemed to exist too)
> One school of though in network security is that you don't have
> intelligent firewalls, based on the assumption that parsing complex
> protocols on firewall components is likely to make the firewall
> vulnerable to the same attacks as the application to be protected by
> the firewall.  Static port assignments would be quite beneficial.

 That's an interesting point of view, but I'm still quite happy that
 iptables has a conntrack for example.  :)
   I tend to think that security simply implies less features, but I
 come to the same conclusions as yours.

 We need someone willing to patch portmap to let the port of RPC
 services be chosen based on other rules that "first free port", but
 I'll report that too.

 To summarize, four ideas have emerged:
 - only warn once when multiple RPC services are installed,
 - warn only when the RPC service doesn't request a static port,
 - permit the configuration of static ports in portmap,
 - autodetected assigned services in glibc and try to avoid RPC services
   on them.


Loïc Minier <lool@dooz.org>

Reply to: