> On Tue, Sep 26, 2006 at 01:53:44PM -0700, John Polstra wrote: > > On 26-Sep-2006 Danny Braniss wrote: > > > This keeps bitting me every other upgrade, IPMI on some > > > hosts, if enabled, will steal packets to port 623 or 664, so > > > the current solution is either set net.inet.ip.portrange.lowlast > > > to 664, (for some reason this does not seem to work if done via > > > loader.conf) or change it in sys/netinet/in.h. > > >=20 > > > So, is there some way to blacklist some ports, instead > > > of increasing portrange.lowlast? > >=20 > > You could use your favorite scripting language to create a socket, > > bind it to the port, listen on it, and just sit there doing nothing > > -- for each port you want to blacklist. That would keep the ports > > from being used by anything else. > > Extending the internal service functionality of inetd might be a good > approach for this sort of thing. The current method of service matching > based on port and protocol could be augmented with the ability to > connect arbitrary "internal" services to arbitrary ports, perhaps via > arguments to the "internal" command. Then you could hook discard to > ports you don't want to use. > > -- Brooks
Some ip traffic is generated earlier, tfpt/dhcp/dns/nfs, which ruins my initial thaught of putting the list in loader.rc or something - in a diskless environment there is a chicken and egg problem. danny _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
