>One thing that might be useful would be to modify the bind command in the
>library so that rpc daemons get assigned to a definite certian range. Thus,
>if you put bind in secure mode, all the rpc daemons get binded to a certian
>range like 600-800 udp ports. Then you could easily block that range with a
>firewall.
Am thinking about something more dynamic that would not be port restricted.
Consider a firewall that is designed to block everything. (Might allow
inward E-mail but even that could use some shoring up).
Now consider that before any connection is opened, first a request must be
issued from an inside node to the firewall. If the node is on an approved list,
the connection is permitted. If the request is for something like FTP, an
inward comnnection is also allowed from port 20 on the outside node to the
requesting node only and only for so long as the outward connection exists.
To the outside, all RFCs are adhered to. On the inside, some special operations
are needed.
True, a very fast, intelligent firewall is needed and now we have active ACLs
instead of static ones, but is doable and is something I am working on.
Warmly,
Padgett
|
|
