Hi, Comments inline. > > Port 111 is for the rpc.statd daemon, required for NFS and related > > services. There was a rash of rpc.statd exploits sometime > back (hint > > bugtraq). If you don't run rpc.statd (portmap), you have no need to > > worry about this. Written as thus, this could seem confusing. rpc.stad!=portmap. The portmapper is a service that is started on a well known port (111), which remote hosts use to query if a particular RPC service is running on the target host, as well as where it is listening (port number). There have been vulnerabilities in several rpc services, statd being the most prevalent, due to a number of well publicised kiddie scripts doing the rounds, as well as the Ramen worm, which used statd as one the entry vectors for RH6.2 boxes. > change that to a NO, i disagree with the statement that it's always > needed. (rc.conf on NetBSD and OpenBSD, don't know about > FreeBSD, controls > what gets started at boot.) almost every casual home user i know of > doesn't set up NFS or NIS, hence my disagreement with the > 'almost always > needed'. Linux, IRIX, etc ... all of them, i think, also > start portmapper > by default. Agreed. Most services should be disabled by default. If you need to run a service, the least one can do is learn enough about it to enable. (This debate has gone for enough time - I'm hoping that the more vendors hear, the more likely something will be done about it. > for these above reasons i strongly enourage you to filter 111/TCP (and > other portmapper related ports, ie Sun uses some high > numbered ones) at > your border, and on hosts not using it make sure its disabled. Sun services usually end up running on ports in the 32700+ range. A lot of free *NIX flavours allocate the first available ports above 1024. In either case, I would rather push for a default deny policy, than having to search for services that are run on your net and selectively deny. How confident can you be that you spotted all the possible services? Even using nmap or other portscanner against an entire port range does not guarantee you that one or the other service had not been stopped, only to be restarted after boot, or that something may not come up at a later stage. Anyway, enough of my opinions ;) Take care, Andrew - Andrew Thomas office: +27 21 4889820 facsimile: +27 21 4889830 mobile: +27 82 7850166 "One trend that bothers me is the glorification of stupidity, that the media is reassuring people it's alright not to know anything. That to me is far more dangerous than a little pornography on the Internet." - Carl Sagan - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
