On 6/23/06, Theo de Raadt <[EMAIL PROTECTED]> wrote:
[snip]
> http://www.freebsd.org/cgi/man.cgi?query=mountd
>
> It's definitely possible (Free and Net both offer the -p option).
I think that is completely ridiculous. Hardcoding RPC utilities
to non-random ports .... to try to tie it to something else, to increase
your security.
Come on. By the time you have to do that, please just compile your own
version of mountd with a diff.
*nod* I had not considered the random port allocation as a security
feature - makes sense though. In my case, I'm running pf on a host
that's already internal for some reporting (pfstat) and as an extra
layer of filtering in case something gets through the primary firewall
that shouldn't (belt + suspenders, etc.). It has since occurred to me
that this might be a good candidate for authpf, and that's probably
what I'll end up doing - hosts that need access to NFS can get it with
authpf and an extra pf rule.
Thanks for clearing up the why.
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key
