by redmail.netbsd.org with SMTP; 18 Oct 1999 06:25:46 -0000
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id PAA02546;
	Mon, 18 Oct 1999 15:25:08 +0900 (JST)
To: "Brian C. Grayson" <bgrayson@marvin.ece.utexas.edu>
cc: Manuel Bouyer <bouyer@antioche.lip6.fr>, tech-security@netbsd.org
In-reply-to: bgrayson's message of Sun, 17 Oct 1999 23:25:34 EST.
      <19991017232534.A14455@marvin.ece.utexas.edu> 
Subject: Re: libwrap (was Re: amd vulnerability: patch for 1.3.3) 
From: itojun@iijlab.net
Date: Mon, 18 Oct 1999 15:25:08 +0900
Message-ID: <2544.940227908@coconut.itojun.org>


>Steps on machine k9:
>
>kill `ps -ax | awk '{if ($5 == "portmap") print $1}'`
>kill `ps -ax | awk '{if ($5 == "amd") print $1}'`
>echo "amd : ALL EXCEPT localhost k9" > /etc/hosts.deny
>rm /etc/hosts.allow
>portmap -l
>amd -p -a /a /amd /etc/amd.home.map
>rpcinfo -p	##  Good, service registered.
>amq		##  Expected output.
>
>>>From another machine, marvin:
>
>amq -h k9
>##  AACK!  The other machine was able to perform the action!
>
>
>  I've tried to disable rup and rusers, to no avail.  So which
>crucial part of libwrap am I not doing right?  This machine is
>running NetBSD-1.4K kernel, with userland from the ELF upgrade
>from July or August.  I tried compiling a -current portmap, with
>no change.

	Looking at src/usr.sbin/portmap, it will only able to filter 
	connection to "portmap", not to "amd".  This can be filtered
	under service name "portmap".
	So the configuration line would be:
		portmap: ALL EXCEPT localhost k9
	but I'm not quite sure if this is what you want.

itojun