Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 11/12/2006 17:58:23
--pgp-sign-Multipart_Sun_Nov_12_17:58:17_2006-1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
At Mon, 9 Oct 2006 20:37:44 -0400,
Steven M. Bellovin wrote:
>=20
> The first is to incorporate access control semantics into rpcbind.
On NetBSD rpcbind(8) already says:
Access control is provided by /etc/hosts.allow and /etc/hosts.deny, as
described in hosts_access(5) with daemon name rpcbind.
It's not very fine-grained though.
There's also the "[addr:]" feature provided by NetBSD's inetd(8), which
will force those RPC servers run from inetd into listening only on the
specified address or subnet.
That doesn't do much for the NFS related services though since they're
stand-alone daemons (some of which "must NOT be invoked by inetd(8)").
Maybe it wouldn't be too difficult to at least add libwrap support to
them though.
--=20
Greg A. Woods
H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>
--pgp-sign-Multipart_Sun_Nov_12_17:58:17_2006-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: LC6BMTTqpke3LCeSPN+IiRH8qKMLeET2
iQA/AwUBRVenDWJ7XxTCWceFEQLLvgCcDbtEiZEVKMYtHjIho7GLHRrJYwAAnRZI
hzN/U8tdcmE943GLGJEn0rXZ
=IyHP
-----END PGP SIGNATURE-----
--pgp-sign-Multipart_Sun_Nov_12_17:58:17_2006-1--