Re: Restricting NFS daemons

Tue, 25 Jan 2005 21:10:38 -0800 

>>>>> On Wed, 26 Jan 2005 10:02:00 +0100, 
>>>>> cpghost <[EMAIL PROTECTED]> said:

 > But the question is how to get rpcbind to use tcp-wrappers
 > in the first place!

 > Because even with this in hosts.allow, sockstat -46l still
 > shows:

 > root     rpcbind    10188 7  udp4   127.0.0.1:111         *:*
 > root     rpcbind    10188 8  udp4   192.168.1.1:111       *:*
 > root     rpcbind    10188 9  udp4   *:<some_random_port>  *:*
 > root     rpcbind    10188 10 tcp4   *:<some_random_port>  *:*

 > So it's still binding to INADDR_ANY :-(

 > Am I missing something obvious, or is rpcbind not "tcp wrapped"
 > by default?

Should be.  Double check to make sure that /usr/sbin/portmap is linked
to libwrap.

On 4.10, I have:

    % objdump -x portmap | head -n 25
    /usr/libexec/elf/objdump: portmap: no symbols

    portmap:     file format elf32-i386
    portmap
    architecture: i386, flags 0x00000112:
    EXEC_P, HAS_SYMS, D_PAGED
    start address 0x08048de8

    Program Header:
        PHDR off    0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2
             filesz 0x000000c0 memsz 0x000000c0 flags r-x
      INTERP off    0x000000f4 vaddr 0x080480f4 paddr 0x080480f4 align 2**0
             filesz 0x00000019 memsz 0x00000019 flags r--
        LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
             filesz 0x00002700 memsz 0x00002700 flags r-x
        LOAD off    0x00002700 vaddr 0x0804b700 paddr 0x0804b700 align 2**12
             filesz 0x000001ec memsz 0x00000218 flags rw-
     DYNAMIC off    0x0000275c vaddr 0x0804b75c paddr 0x0804b75c align 2**2
             filesz 0x000000b8 memsz 0x000000b8 flags rw-
        NOTE off    0x00000110 vaddr 0x08048110 paddr 0x08048110 align 2**2
             filesz 0x00000018 memsz 0x00000018 flags r--

    Dynamic Section:
      NEEDED      libwrap.so.3
      NEEDED      libc.so.4
      INIT        0x8048adc

I am not surprised that rpcbind is still bound to all of your
interfaces.  AFAIK, tcp-wrappers doesn't control which interface is
being listened on, but rather it controls from which IP numbers
connections will be accepted.  This is what I meant, when I said that
tcp-wrappers doesn't do exactly what you want.  However, if you use
tcp-wrappers to accept only connections from 192.168.1.0/255.255.255.0
and configure a firewall on this host to block all connections to the
interface in question from this address range, then you will end up
with something approximating what you want.

...Sandy
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to