Re: NFS packet blocking (Was Mouse EXPLOIT info...)
Rafi Sadowsky (rafi@tavor.openu.ac.il)
Thu, 19 Jan 1995 20:08:15 +0200 (IST)
On Wed, 18 Jan 1995, Dave Williss wrote:
> In previous message, Christopher Klaus said...
>
> > > Why can't you make mountd on Ultrix 4.X reject mount requests from
> > > non-privileged ports? turning on "nfsportmon" in the kernel doesn't
> > > quite do the job properly. Things that make you go hmmm...
>
> > Install a good portmapper so that remote hosts can't easily find what port
> > mountd is on. A better solution is to make sure that your routers kill
> > all NFS packets from remote nets.
>
> Any idea what I should block on my router to do this? I have a cicsco
> router if that's any help.
port 2049 is the NFS port ( normally UDP but the TCP port should be
blocked too as some newer NFS implementations support TCP ...)
blocking it at your router should ( I think ) block all NFS attacks
>
> Also, does anybody know of a mailing list or FAQ for cisco setup. I find
> their manuals cryptic.
for a cisco the following line in an access list should block incoming NFS
to class B net 147.233
access-list 1<xx> deny udp 0.0.0.0 255.255.255.255 147.233.0.0 0.0.255.255
eq 2049
(one line - this of course does UDP only & the access list must be 100-199
of course you would have to allow the conections you do want to allow - as
there is an implicit deny all packet at the end of each access list )
while on the *incoming* port you would have
int eth <n>
access-group 1<xx>
(if you have version 10.X you can also block on the outgoing port -
RTFM.. :-)
> --
> David C. Williss #include <standard.disclaimer>
> Software Engineer -- MicroImages, Inc. dwilliss@microimages.com
> WWW: http://tnt.microimages.com/~dwilliss dwilliss@csealumni.unl.edu
> -- PGP Public Key available via finger from: dwilliss@csealumni.unl.edu --
>
--
Rafi Sadowsky rafi@tavor.openu.ac.il
[postmaster@openu.ac.il] FAX: +972-3-6460483