| View previous topic :: View next topic |
| Author |
Message |
h3rdi
n00b
Joined: 02 Nov 2003
Posts: 25
Location: Berlin, Germany
|
 Posted: Tue May 04, 2004 5:47 pm Post subject: Problem closing Portmapper |
 |
|
Hi all,
I have famd running which - unfortunately - still needs the portmapper. I have tried to seal the portmapper from outside according to a hint from here. I have created
| Quote: | $ cat /etc/hosts.allow
portmap: 127.0.0.1
|
and
| Quote: | $ cat /etc/hosts.deny
portmap: ALL
|
Still the portmapper is visible even throug my dial-up interface (confirmed with a portscan from outside). How can I make it stop listening? The hosts.allow mechanism seems not too elegant to me. Can I bind it hard to the loopback interface? This would be better, IMHO. Is there a possibility of famd getting along without the portmapper in the future? This is really the only reason for me to have it.
Thanks in advance. Greetings from Berlin
Herdi |
|
| Back to top |
|
 |
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Tue May 04, 2004 7:46 pm Post subject: |
|
|
I don't think it's possible to convince portmap to only bind to a specific interface. However, you can go the | Code: | iptables -I INPUT -p tcp -s \! 127.0.0.1 --dport 111 -j DROP
iptables -I INPUT -p udp -s \! 127.0.0.1 --dport 111 -j DROP |
way.
Also it may be a good idea to edit /etc/fam.conf and set local_only to true.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
h3rdi
n00b
Joined: 02 Nov 2003
Posts: 25
Location: Berlin, Germany
|
| Posted: Tue May 04, 2004 8:03 pm Post subject: |
|
|
| moocha wrote: | [iptables]
Also it may be a good idea to edit /etc/fam.conf and set local_only to true. |
OK, I will try to let the packet filter handle it. Famd is already configured to local and it is not vislble over the net as expected.
What really makes me wonder is why portmap doesn't respect the hosts_access files as it should. Any idea anyone?
TIA&Greetings
Herdi |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Tue May 04, 2004 8:36 pm Post subject: |
|
|
Because it doesn't have support for tcpwrappers 
| Code: | moocha root # cat /var/db/pkg/net-nds/portmap-5b-r8/USE
x86 X aalib accessibility acl acpi alsa apache2 arts berkdb caps crypt cups curl dga doc encode expat flac gdbm gif gnome gpm gstreamer gtk gtk2 guile imap imlib jack java jbig jpeg kde kerberos lcms ldap mad maildir memlimit mikmod mmx mng motif mpeg mysql ncurses nls nptl odbc oggvorbis openal opengl pam perl pic pie png postgres python qt readline ruby samba sasl sdl slang slp snmp socks5 speex spell sse ssl svga tcltk tcpd tetex tiff truetype unicode wmf xml xml2 xv zlib
moocha root # ldd /sbin/portmap
linux-gate.so.1 => (0xffffe000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4002a000)
libc.so.6 => /lib/libc.so.6 (0x4003f000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
No /lib/libwrap.so there
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
h3rdi
n00b
Joined: 02 Nov 2003
Posts: 25
Location: Berlin, Germany
|
| Posted: Thu May 06, 2004 5:50 pm Post subject: |
|
|
| moocha wrote: | Because it doesn't have support for tcpwrappers
| Code: | moocha root # cat /var/db/pkg/net-nds/portmap-5b-r8/USE
x86 X aalib accessibility acl acpi alsa apache2 arts berkdb caps crypt cups curl dga doc encode expat flac gdbm gif gnome gpm gstreamer gtk gtk2 guile imap imlib jack java jbig jpeg kde kerberos lcms ldap mad maildir memlimit mikmod mmx mng motif mpeg mysql ncurses nls nptl odbc oggvorbis openal opengl pam perl pic pie png postgres python qt readline ruby samba sasl sdl slang slp snmp socks5 speex spell sse ssl svga tcltk tcpd tetex tiff truetype unicode wmf xml xml2 xv zlib
moocha root # ldd /sbin/portmap
linux-gate.so.1 => (0xffffe000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4002a000)
libc.so.6 => /lib/libc.so.6 (0x4003f000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
No /lib/libwrap.so there |
Hi again,
Thanks so far for the help. I have done some experimenting meanwhile and now I'm even more confused: According to the ebuild-files the newes beta-version of portmap supports tcp-wrappers. I have now installed this latest version. After a re-emerge of tcp-wrappers, after adding the tcpd USE-flag and after emerging the beta-portmap, I get the following:
| Quote: | $ ldd /sbin/portmap
libwrap.so.0 => /lib/libwrap.so.0 (0x40030000)
libutil.so.1 => /lib/libutil.so.1 (0x40038000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4003b000)
libc.so.6 => /lib/libc.so.6 (0x40050000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
|
and
| Quote: | $ cat /var/db/pkg/net-nds/portmap-5b-r9/USE
[...]
postgres python qt quicktime readline ruby sdl slang spell ssl svga tcltk tcpd tetex tiff
[...]
|
But (not really surprised any more) still portmap is open to the world.
Hasn't anyone here got this solved? Where are the "close all ports -> no security problem" people?
Thanks and greetings
Herdi |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Thu May 06, 2004 5:54 pm Post subject: |
|
|
Um, but tcp-wrappers don't have anything to do with closing ports. A tcp-wrappers-enabled portmap will still listen to the world. It will just close connections that aren't authorized according to /etc/hosts.*.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
h3rdi
n00b
Joined: 02 Nov 2003
Posts: 25
Location: Berlin, Germany
|
| Posted: Thu May 06, 2004 6:12 pm Post subject: |
|
|
| moocha wrote: | | Um, but tcp-wrappers don't have anything to do with closing ports. |
 OK, got me, my mistake. Thanks again. Eventually I will do the packetfilter solution, or just leave things as they are now.
Greetings
Herdi |
|
| Back to top |
|
|
|
Networking & Security
