by redmail.netbsd.org with SMTP; 18 Oct 1999 06:48:10 -0000
Message-ID: <19991018014804.A19607@marvin.ece.utexas.edu>
Date: Mon, 18 Oct 1999 01:48:04 -0500
From: "Brian C. Grayson" <bgrayson@marvin.ece.utexas.edu>
To: itojun@iijlab.net
Cc: Manuel Bouyer <bouyer@antioche.lip6.fr>, tech-security@netbsd.org
Subject: Re: libwrap (was Re: amd vulnerability: patch for 1.3.3)
References: <19991017232534.A14455@marvin.ece.utexas.edu> <2544.940227908@coconut.itojun.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <2544.940227908@coconut.itojun.org>; from itojun@iijlab.net on Mon, Oct 18, 1999 at 03:25:08PM +0900

On Mon, Oct 18, 1999 at 03:25:08PM +0900, itojun@iijlab.net wrote:
> 
> 	Looking at src/usr.sbin/portmap, it will only able to filter 
> 	connection to "portmap", not to "amd".  This can be filtered
> 	under service name "portmap".
> 	So the configuration line would be:
> 		portmap: ALL EXCEPT localhost k9
> 	but I'm not quite sure if this is what you want.

  Thanks.  It should be feasible to check against both portmap
and the specific service, via two checks -- "portmap" and
getrpcbynumber(prog).  Would this be worth coding up?

  For now, I'll just disable all portmap services to non-local
machines on the relevant hosts.

  Brian Grayson