It is interesting that the use of ephemeral ports was really aimed at
reducing the number of well known port allocations in an environment that
was heavily RPC based, however, locking the port number means that the RPC
endpoint becomes well known and more vulnerable to attack so personally I
can see why a whole lot of folk would object to that. (this is just the sort
of thing that M$ do to allow access to Exchange servers through Firewalls)

I was interested in one of Theo's earlier comments about hooking pf up to
the port mapper.. considering that the port mapper for the RPC application
will probably be running on a different system to your perimeter defence I
assume this meant a kind of distributed approach where pf would talk to the
port mapper remotely.

Is it feasible that pf could interrogate RPC traffic and determine the
allocated port via the reply of the handshake then allow the connection
based upon that? - I know Checkpoint do this with some amount of success.

-Andy



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Theo de Raadt
Sent: 24 June 2006 00:04
To: Scott Francis
Cc: Clint Pachl; misc@openbsd.org
Subject: Re: How to pass mount protocol traffic (mountd/NFS) using pf? 

> On 6/21/06, Clint Pachl <[EMAIL PROTECTED]> wrote:
> > Because portmap(8) dynamically assigns the mountd(8) port, how would
> > one write a pass rule in pf for mountd(8) traffic? My problem is that
> > every time mountd(8) is re/started, it operates on a different port and
> > my fixed pf rules block the mount protocol and, consequently, my
> > clients cannot mount an NFS share.
> >
> > I read through RFC1094 "NFS: Network File System Protocol
> > Specification" and RFC1057 "RPC: Remote Procedure Call Protocol
> > Specification" looking for ways to statically bind the mount protocol
> > to a port number. It doesn't look possible.
> 
> http://www.freebsd.org/cgi/man.cgi?query=mountd
> 
> It's definitely possible (Free and Net both offer the -p option).

I think that is completely ridiculous.  Hardcoding RPC utilities
to non-random ports .... to try to tie it to something else, to increase
your security.

Come on.  By the time you have to do that, please just compile your own
version of mountd with a diff.

Reply via email to