It is interesting that the use of ephemeral ports was really aimed at reducing the number of well known port allocations in an environment that was heavily RPC based, however, locking the port number means that the RPC endpoint becomes well known and more vulnerable to attack so personally I can see why a whole lot of folk would object to that. (this is just the sort of thing that M$ do to allow access to Exchange servers through Firewalls)
I was interested in one of Theo's earlier comments about hooking pf up to the port mapper.. considering that the port mapper for the RPC application will probably be running on a different system to your perimeter defence I assume this meant a kind of distributed approach where pf would talk to the port mapper remotely. Is it feasible that pf could interrogate RPC traffic and determine the allocated port via the reply of the handshake then allow the connection based upon that? - I know Checkpoint do this with some amount of success. -Andy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: 24 June 2006 00:04 To: Scott Francis Cc: Clint Pachl; misc@openbsd.org Subject: Re: How to pass mount protocol traffic (mountd/NFS) using pf? > On 6/21/06, Clint Pachl <[EMAIL PROTECTED]> wrote: > > Because portmap(8) dynamically assigns the mountd(8) port, how would > > one write a pass rule in pf for mountd(8) traffic? My problem is that > > every time mountd(8) is re/started, it operates on a different port and > > my fixed pf rules block the mount protocol and, consequently, my > > clients cannot mount an NFS share. > > > > I read through RFC1094 "NFS: Network File System Protocol > > Specification" and RFC1057 "RPC: Remote Procedure Call Protocol > > Specification" looking for ways to statically bind the mount protocol > > to a port number. It doesn't look possible. > > http://www.freebsd.org/cgi/man.cgi?query=mountd > > It's definitely possible (Free and Net both offer the -p option). I think that is completely ridiculous. Hardcoding RPC utilities to non-random ports .... to try to tie it to something else, to increase your security. Come on. By the time you have to do that, please just compile your own version of mountd with a diff.
