Mail headers suggest Robert Bonomi may have written in response:
> +
> + Recently there was a thread here in which it was noted that filtering
> + portmap (111) traffic merely made it more difficult to find the RPC
> + service ports, that if they could be guessed, they could be gotten to.
> +
> + What approaches, from a filtering perspective, might be employed to
> + block these ports, since they appear to be arbitrarily and dynamically
> + assigned (from observation and from reading the rfcs)?
>
> the -simple- one. "everything not specificially authorized is forbidden".
> i.e. block _everything_, then open holes for _specific_ things.
>
> then you just have to make sure that your 'allowed' services come up
> *before* 'portmapper client programs' do. this is a simple matter of
> making sure things are in the right sequence in the system start-up files.
> :)
>
I should have stated the filtering policy for the particular route:
"Everything not specifically forbidden is permitted."
Not terribly unusual for some portions of an academic network.
--
W.C. Epperson "CAUTION: Objects in floating point
Senior SE may not be as close as they appear."
Curmudgeon-for-Life
Virginia Dept. of Education
|
|
