(E-Mail Removed) (Ryan Hubbard) wrote in message news:<(E-Mail Removed). com>...
> Thanks for the replies. Well I already have the appropiate ips in the
> host allow/deny and I already have the 111 rule in there. Prg do you
> know if it is possible to restrict NIS to only bind to a specific
> adapter? Say eth0 and eth1 are the adapters would it be possible to
> say to only allow it to bind to eth1? I know this isn't really
> securing it since I have heard of hacks to gain access to eth1 through
> eth0 but just out of curousity?
[snip]
Get a handle on rpc and the portmapper and you'll understand (kinda
sorta) the problems when filtering NIS.
The same problems crop up re: trying to "bind" the apps (ie., port #s)
to a particular interface. With policy routing -- using multiple
routing tables with rulesets "bound" to particular interfaces -- you
can get more control for routing/filtering net traffic.
http://lartc.org/howto/
http://linux-ip.net/
http://www.policyrouting.org/PolicyR...NLINE/TOC.html
But the rpc/NFS (portmapper/NFS) ports are the only ones
pre-determined (by default) with apps registering _random_ port
numbers with the portmapper. There's not really enough info (known
beforehand) in the packet headers to provide effective, granular
filtering of apps that run behind the port mapper.
You can "fix" the ports to pre-determeined #s for some of the apps.
Look here:
http://ike.room17.com/pipermail/ale/...30/002564.html
for an NFS example with iptables (it's for RH though).
These may be useful also:
http://www.lowth.com/LinWiz/nfs_help.html
http://www.redhat.com/docs/manuals/l...erver-nis.html
http://nfs.sourceforge.net/nfs-howto/security.html
With this and policy routing you can get "more" control, but whether
it's enough I can't say. With the other access controls it could work
OK for you. But know that I've never tried to run NFS/NIS on a
multi-homed host /:-)
hth,
prg
email above disabled
Similar Threads
Linear Mode
