On Mon, Mar 12, 2001 at 11:27:46AM -0800, Marc Wilson wrote:
> Try this in your firewall script:
>
> # anything NFS-like should not be accessible from outside
> NFSPORTS=`rpcinfo -p | awk '/tcp/||/udp/ {print $4}' | sort | uniq`
> for PORT_NUM in $NFSPORTS
> do $IPCHAINS -A input -i $extint -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0
> $PORT_NUM -j REJECT -l
> do $IPCHAINS -A input -i $extint -p udp -s 0.0.0.0/0 -d 0.0.0.0/0
> $PORT_NUM -j REJECT -l
> donejust a nitpick, the udp rule should be a DENY since udp never sends icmp control packets like port unreachable. this script would work, but you would have to rerun it any time one of the rpc services was restarted. it would also miss them if started when firewall scripts are usually run: before networking comes up. -- Ethan Benson http://www.alaska.net/~erbenson/
pgpjsi8lzbOSY.pgp
Description: PGP signature
