>> I keep hearing people say this ["it's insecure"] about NIS. > Have a firewall block the ports NIS is using The trouble is, this changes from each boot to the next, and changes from host to host. When the daemon starts up, it picks a port randomly (well, actually, the kernel picks it at the daemon's request) and registers it with the portmapper. The router thus would have to constantly do GETPORT queries to be sure of blocking the correct port. I don't know of any commercial router box that can do this, and doubt one exists; if you're rolling your own firewall on an OS you have source to, anything is possible. Alternatively, you could have it do something like keep an open TCP connection to every host (say, to the discard port) with keepalives on. When a machine reboots, the keepalives will kill this connection and the firewall will notice and realize it needs to redo the GETPORT query for that machine. Of course, it may not notice quite soon enough; perhaps you should connect to the echo port, and write a byte and wait for it to come back before forwarding a packet. > and make sure the router is programmed not to allow NIS packets > through an outside line. The problem here is telling which packets are NIS packets. > Then the questions come, what ports do I block? On one setup, I > already block the ports for sunrpc. Is that enough? Not if you mean just port 111, as was discussed here quite recently. It's far too easy for the attacker to just fire queries at a couple of thousand ports to find the one NIS is listening on. der Mouse mouse@collatz.mcrcim.mcgill.edu