Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Greg A. Woods <email@example.com>
Date: 11/12/2006 17:58:23
Content-Type: text/plain; charset=US-ASCII
At Mon, 9 Oct 2006 20:37:44 -0400,
Steven M. Bellovin wrote:
> The first is to incorporate access control semantics into rpcbind.
On NetBSD rpcbind(8) already says:
Access control is provided by /etc/hosts.allow and /etc/hosts.deny, as
described in hosts_access(5) with daemon name rpcbind.
It's not very fine-grained though.
There's also the "[addr:]" feature provided by NetBSD's inetd(8), which
will force those RPC servers run from inetd into listening only on the
specified address or subnet.
That doesn't do much for the NFS related services though since they're
stand-alone daemons (some of which "must NOT be invoked by inetd(8)").
Maybe it wouldn't be too difficult to at least add libwrap support to
Greg A. Woods
H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <firstname.lastname@example.org>
Planix, Inc. <email@example.com> Secrets of the Weird <firstname.lastname@example.org>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
-----END PGP SIGNATURE-----