* Volker Kuhlmann wrote on Wed, Feb 19, 2003 at 10:35 +1300:
> > Is there any alternative to this ?
>
> NFS is a pain. In theory, you need a packet filter which
> listens in on the portmaper exchange and on the fly opens and
> closes the udp ports actually being used.

Yes, it is... Closing ports on the fly? This results in blocking
unused ports, if I undertstood correctly. I don't think that this
is so horrible to have unused ports open. Firewalling access
except a few, trusted IPs is not that bad at all, and on the NFS
server and/or the client you could roll out additional some local
rules, but UDP packet source addresses are easy to spoof (or
"set", "spoof" sounds so complicated :)). Some RPC services can
be configured to listen on specified ports, maybe nfsd have
this feature also?

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]