On Tue, Sep 26, 2006 at 01:53:44PM -0700, John Polstra wrote: > On 26-Sep-2006 Danny Braniss wrote: > > This keeps bitting me every other upgrade, IPMI on some > > hosts, if enabled, will steal packets to port 623 or 664, so > > the current solution is either set net.inet.ip.portrange.lowlast > > to 664, (for some reason this does not seem to work if done via > > loader.conf) or change it in sys/netinet/in.h. > > > > So, is there some way to blacklist some ports, instead > > of increasing portrange.lowlast? > > You could use your favorite scripting language to create a socket, > bind it to the port, listen on it, and just sit there doing nothing > -- for each port you want to blacklist. That would keep the ports > from being used by anything else.
Extending the internal service functionality of inetd might be a good approach for this sort of thing. The current method of service matching based on port and protocol could be augmented with the ability to connect arbitrary "internal" services to arbitrary ports, perhaps via arguments to the "internal" command. Then you could hook discard to ports you don't want to use. -- Brooks
pgpqGvOxFBdpi.pgp
Description: PGP signature
