Hi Ken,
On Mon, 26 Feb 2001, Rodent of Unusual Size <[EMAIL PROTECTED]> wrote:
> "Karl J. Runge" wrote:
> >
> > BUT, you also gotta block and/or shutdown RPC services. E.g.
> > rpc.nfsd, rpc.statd, rpc.mountd. We usually think of these
> > as UDP services, but there are often TCP counterparts.
> > Regardless, they are not protected by /etc/hosts.deny !!!
> > Run rpcinfo -p to see the list of RPC services you are
> > exporting (hopefully none).
> >
> > You either have to shut off the RPC services, or if you need
> > them in a LAN, you should setup ipchains filtering to limit
> > access to your LAN hosts. (this is usually done on a firewall,
> > but can be done with a single host)
>
> Any how-to pointers available?
Sorry, but I don't have any general pointers on this; I believe others
on the list will supply.
I've always just done this on my firewall and roaming laptops myself
with filtering rules on the internet-side interface. (i.e. by writing a
shell script that repeatedly calls ipfwadm or ipchains to setup the
rules)
The baseline I basically set up is:
Drop all incoming TCP connections (SYN=1, ACK=0) except for
ports you want to expose as a service (e.g. apache on 80)
Only allow UDP traffic to fixed ports (udp services like
DNS=53 and NTP=123) and to/from *fixed* machine IP's (e.g.
from /etc/resolv.conf and /etc/ntp.conf)
One can further protect RPC by explicitly blocking any external
connections to your udp ports listed in "rpcinfo -p" (but note
that they'd have to be spoofing as one of your DNS or NTP hosts
at this point to get a udp packet in...)
That's a bit draconian, but is a pretty good start. One can apply
perturbations to this baseline to allow more stuff thru. Note that the
above is for home-LAN/roaming-laptop not an "enterprise firewall".
Anyway, now if rpc.nfsd or rpc.statd are running on the box (either by
accident or on purpose, e.g. for a home LAN) it cannot be accessed by
machines out on the internet.
I believe I have heard of various sources for "rc.firewall" scripts
that do this, but haven't checked into them. I imagine (hope?) they
are even more careful than what I have outlined above.
Karl
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
