Mark Bergman wrote on Tue, Dec 15, 1998 at 09:47:00AM
-0800:>
> I don't know if this is RedHat 5.1 specific, but be aware that the
version
> of portmap distributed is the enhanced (Wietse Venema) version. That's
> great, except for two things. The first is documented, but easy to
overlook:
>
> "In order to avoid deadlocks, the portmap program does not attempt to
look
> up the remote host name or user name...The upshot of all this is that only
> network number patterns will work for portmap access control."
This is true for all portmap/rpcbind daemons using libwrap.
> I didn't realize that, and boy did I get bitten when I refused
connections
> from "unknown" hosts (where DNS doesn't reverse correctly). I
was using the
> "same" hosts.allow file I had used elsewhere, but it was a
different
> version of portmap.
For portmap//rpcbind/nfs/... you usually want to block everything except
a very small number of local networks, so the typical way of doing this:
portmap, rpcbind : 123.4.5.0/255.255.255.0 : allow
portmap, rpcbind : ALL : deny
is also the best.
> The other problem that came up is that everytime a portmap request
> (initiated by mount) was denied, the portmap daemon died.
This usually happens for programs that call libwrap routines without first
forking a subprocess, if you use 'twist=' feature in hosts.allow/deny
files.
Tomasz
--
_________
(_ _' __) Tomasz R. Surmacz, Work:(071)3202636, tsurmacz @ict.pwr.wroc.pl
| (__ \ http://www.ict.pwr.wroc.pl/~tsurmacz/ *-* Home: ts@ wroc,apk,net
|__(____/ Taming a mail daemon may cause a system security violation.