Re: port blocking
On Saturday 05 April 2003 01:36 pm, tech@bishop.dhs.org wrote:
> I'm trying to lock down my server, which, for historical reasons *has*
> to run the various nis services. No problem, I'll just block the ports
> that ypfrx, yppasswdd, ypbind, etc bind to. However, it seems that they
> choose a different port each time. As I don't want to switch to the
> 'block everything, only open needed' methodology (too much overhead to
> keep all my clients working), how do I force the various nis services to
> use only certain specified ports? Looking at the man page, some of them
> take a -p switch, but putting that into the /etc/init.d/nis file in the
> --exec line 1) doesn't seem to work and 2) would be overwritten by the
> next upgrade (iirc, the init scripts are not marked as config files).
> Any ideas?
I'm not exactly sure if locking the NIS ports is possible, but I can verify
that init.d scripts are (almost?) always marked as conffiles. You do not
need to worry about them being overwritten without being asked.
That said, I would really recommend that you switch to the "block everything"
firewall methodology, especially if you need legacy software like NIS around.
You'll sleep easier.
Also, about the -p switch: make sure you're passing "--" between the program
name and the -p. start-stop-daemon needs this, to seperate its own arguments
from those of the daemon it's starting. (This may not be your problem - like
I said, I don't use NIS, those scripts might not call start-stop-daemon.)
Hope this helps.
- Keegan
Reply to: