Subject: Re: restricting NFS (and associated services) to one IP address
To: Michael van Elst <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 10/09/2006 10:27:56
On Mon, 9 Oct 2006 12:52:53 +0000 (UTC), email@example.com (Michael van
> firstname.lastname@example.org ("Steven M. Bellovin") writes:
> >There are no guarantees about what port numbers are assigned. Today, on
> >one particular reboot, it used the ports I mentioned. A code change or a
> >boot order change could change that, which would silently leave the
> >services exposed.
> The normal approach with "default is deny" would just reconfigure the
> port filters when the service is started and stopped. But with "default
> is permit" this opens a window of vulnerability.
"default deny" what? All packets addressed to low-numbered ports? Per a
previous reply, there are some subtle implications to doing that.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb