Restricting NFS daemons
cpghost
cpghost at cordula.ws
Wed Jan 26 03:05:45 PST 2005
On Tue, Jan 25, 2005 at 09:09:45PM -0800, Sandy Rutherford wrote:
> > But the question is how to get rpcbind to use tcp-wrappers
> > in the first place!
>
> > Because even with this in hosts.allow, sockstat -46l still
> > shows:
>
> > root rpcbind 10188 7 udp4 127.0.0.1:111 *:*
> > root rpcbind 10188 8 udp4 192.168.1.1:111 *:*
> > root rpcbind 10188 9 udp4 *:<some_random_port> *:*
> > root rpcbind 10188 10 tcp4 *:<some_random_port> *:*
>
> > So it's still binding to INADDR_ANY :-(
>
> > Am I missing something obvious, or is rpcbind not "tcp wrapped"
> > by default?
>
> Should be. Double check to make sure that /usr/sbin/portmap is linked
> to libwrap.
Good idea! Yes indeed, rpcbind is linked to libwrap:
/usr/sbin/rpcbind:
libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28080000)
libutil.so.4 => /lib/libutil.so.4 (0x28088000)
libc.so.5 => /lib/libc.so.5 (0x28094000)
> I am not surprised that rpcbind is still bound to all of your
> interfaces. AFAIK, tcp-wrappers doesn't control which interface is
> being listened on, but rather it controls from which IP numbers
> connections will be accepted. This is what I meant, when I said that
> tcp-wrappers doesn't do exactly what you want. However, if you use
> tcp-wrappers to accept only connections from 192.168.1.0/255.255.255.0
> and configure a firewall on this host to block all connections to the
> interface in question from this address range, then you will end up
> with something approximating what you want.
Yes, that's approximatly what I had in mind.
Thank you for your help! :)
> ...Sandy
Cheers,
-cpghost.
--
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-questions
mailing list