Suggestion for an altered portmap package
Steve G
linux_4ever at yahoo.com
Thu Aug 12 00:37:08 UTC 2004
>As I don't use NFS or NIS on my desktop, either, I've long wanted to be
>able to tell portmap to bind to the loopback interface only, following a
>security principle of making daemons listen to the least possible
>interfaces. There doesn't seem to be a way to do that, so I've tried
>creating an altered portmap package.
Hi,
I am the co-maintainer of xinetd. You should be able to secure portmap without
touching the code. I am not familiar with Fedora or Red Hat's xinetd settings
since I do my own as part of xinetd development. But I use this in /etc/xinetd.d
saved as sgi_fam:
service sgi_fam
{
type = RPC UNLISTED
flags = NOLIBWRAP
socket_type = stream
user = root
group = root
server = /usr/bin/fam
wait = yes
protocol = tcp
rpc_version = 2
rpc_number = 391002
bind = 127.0.0.1
}
Then in /etc/hosts.allow, I set:
portmap: 127.0.0.1
I also then use fwbuilder to create an iptables setup that insulates all daemons
except what that machine was designed for.
Does this help? It is trivial to modify portmap to take a commandline argument
and bind to that interface. But a system can be secured without touching
portmapper's code.
-Steve Grubb
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
More information about the fedora-devel-list
mailing list