Quoting Gil Shwed:
+ (1) RPC services are on anonymous ports (they are *not* pre-determined),
+ the portmapper (sunrpc, port 111) is used only for the
+ program-number -> port-number mapping. Scanning is very easy since RPC
+ services usually find themselves on ports just over 1023. RPC/YP scanners
+ like these were used by Internet intruders, and had very successfull
Apologies for making any silly assumptions, but hopefully I'll learn
something here. (After all, this is a forum for learning, isn't it? :-)
For starters, please clarify whether RPC uses TCP, UDP, or both.
This is what I understand:
- Inbound TCP >1023 can be filtered (e.g., on a Cisco) by setting the
- FTP has a problem with this, due to the passive open from the server's
port 20 to some port >1023 on the client;
- Inbound UDP >1023 can be filtered, but then how do certain UDP services
(DNS springs to mind) get allowed to "complete the call"? Or, is this
strictly a feature of TCP?
- TCP/UDP port usage >1023 cannot be predetermined, i.e., you cannot
force them to use a predetermined range, such as >4096, or?
If RPC services "usually find themselves on ports just over 1023", then
is there a potential conflict between what you need to deny, and what
you need to allow? That is, can I deny TCP/UDP service up to, say,
port 1060 to protect the RPC side, but not prevent legitimate outbound
connections from being completed?
+ (2) Though NFS is RPC service, it uses port 2049 on standard systems.
Thanks for this one. I was wondering about that. That hole is now plugged.
Also, is there a list of "vunerable" ports >1023 (other than this one) that
one should be paranoid about? (I hate asking this, as I realize that there
will be some concern about giving potential crackers a shopping list....)
+ -- Gil Shwed
+ -- CheckPoint Software Technologies
Jim Carroll | JTS Computer Systems Ltd. | The ongoing struggle of
com | Toronto, Ontario | Prometheus vs. Epimetheus....
From: gil @
il (Gil Shwed)