[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rpc.statd hacking but firewalled



On Mon, Mar 12, 2001 at 11:27:46AM -0800, Marc Wilson wrote:
> Try this in your firewall script:
> 
> # anything NFS-like should not be accessible from outside
> NFSPORTS=`rpcinfo -p | awk '/tcp/||/udp/ {print $4}' | sort | uniq`
> for PORT_NUM in $NFSPORTS
>      do $IPCHAINS -A input -i $extint -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0
> $PORT_NUM -j REJECT -l
>      do $IPCHAINS -A input -i $extint -p udp -s 0.0.0.0/0 -d 0.0.0.0/0
> $PORT_NUM -j REJECT -l
> done

just a nitpick, the udp rule should be a DENY since udp never sends
icmp control packets like port unreachable.  

this script would work, but you would have to rerun it any time one of
the rpc services was restarted.  it would also miss them if started
when firewall scripts are usually run: before networking comes up.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpWsDkSidDjR.pgp
Description: PGP signature


Reply to: