NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: access control for mountd, statd, and lockd?

On Feb 8, 2010, at 1:49 PM, Chuck Swiger wrote:

> On Feb 8, 2010, at 10:37 AM, Steven Bellovin wrote:
>> Yup, though my concerns are broader -- I'd really like to block completely 
>> unwanted packets at the IP level, to guard against bugs in the 
>> authentication, the crypto, etc.  There's a long history of those, too.
> Well, yes.  Hopefully anyone using NFS has a firewall guarding their Internet 
> connections, so completely unwanted packets from the rest of the 'net should 
> be filtered there.

Precisely what I'm trying to do, which is why I want known port numbers to 

> If you are concerned about subnet-local exploit attempts, host-based firewall 
> approaches like libwrap or individual IPFW / PF / IPF will do some good, but 
> it's really hard to defend against all of the potential attacks and DoS 
> conditions if your local network is malicious.
> (And that's regrettably true even if you *weren't* trying to do 
> filesharing....)
> Regards,
> -- 
> -Chuck

                --Steve Bellovin,

Home | Main Index | Thread Index | Old Index