> No. You can't allow rlogin without opening up access to all the TCP
> services that live below port 1024 (finger, sendmail, ftp, ...),
> because rlogin uses a random port below 1024 for the client end of the
If you have a filtering mechanism which supports some variant of the
"established" keyword, you could allow outbound rlogin/rsh/etc. without having
to support inbound access to all the other TCP services which live below port
1024. Since rlogin uses a random port, you will have to allow outbound
connections from any service below port 1024, unless you can do filtering
based on source ports. (Also beware of the problems with "established" on
ciscos, as noted on this list).
> We dealt with the faculty problem problem like this, we got all
> the complaintents in a room in which I showed them a program I
> wrote that spoofed rlogind's and then I hacked into a couple of their
> accounts from a remote machine (at another University) to prove that
> it could be done.
I'm not quite sure I follow this. To write a spoofed rlogind might be useful
in collecting passwords, but this is an insider attack; not something one
would expect a firewall to protect against (and anyone who could write a
rlogind spoof could do the same for telnet, and get a password every time!).
Hacking into their accounts using rlogin and bogus nameserver packets is a
good argument against inbound rlogin, but doesn't prove outbound rlogin to be
From: rens @
com (Rens Troost)
From: Brent Chapman <brent @