Re: NFS packet blocking (Was Mouse EXPLOIT info...)

Casper Dik (casper@fwi.uva.nl)
Fri, 20 Jan 1995 16:05:59 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: der Mouse: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"
Previous message: Darren Reed: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"
In reply to: jsz: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"
Next in thread: der Mouse: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"

>Sun's NFS implementation always used TCP as well as UDP -- a better
>idea would be to block portmapper (111 udp/tcp) as well as NFS ---
>but it depends on how paranoid you wish to be.

Sun's NFS implementation has never used TCP, only UDp.
Mountd does use TCP.

>Blocking tcp/udp 2049 will not prevent *ALL* NFS attacks -- you might still
>be able to get the fh's through source routed requests to rpc.mountd (which
>might run on TCP & UDP ports), but it won't give you any access -- you can never
>retrieve any data, because you can't get a reply send back to you (you'd
>need to fake the src address to get a reply, but you won't pass the filters
>if you want the reply.. UDP doesn't have an IP_OPTIONS, thus doesn't support
>source routing.)
>
>if NFS is filtered at the router, you will be able to send "unlink" requests
>(using the fh's you have) but it will only cause damage, which is still 
>dangerous enough.

Not necessarily.  If you block all requests destined for port 2049
in an inbound filter, faked packets won't get through, no matter
what the source address is.

Casper

Next message: der Mouse: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"
Previous message: Darren Reed: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"
In reply to: jsz: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"
Next in thread: der Mouse: "Re: NFS packet blocking (Was Mouse EXPLOIT info...)"