On 08 Apr 2001 13:04:26 -0700, Tyrin Price wrote: > These access control files only work for those services run from inetd > ... nfs uses portmap. I bet you don't have the portmapper wrapped.
Tyrin, it seems your the one who can answer a question I posted earlier today, for which there were no takers so far. It's not yet in the archive, so sorry for reposting: ---------------------- Standard info: I have looked through all docs I could find (new nfs-HOWTO on http://nfs.sourceforge.net/ (needs to be put into woody, BTW, the currently included one doesn't deal with new nfs-utils and mountd, lockd, statd lines in hosts.allow/deny), /usr/share/doc/portmap, list archives, man update-inetd (which I don't seem to understand at all)), but still, yadda yadda.I run woody with kernel 2.4.2 with kernel-server (v3 also enabled) I have kernel-server support on the server, no firewall on the internal interface, I don't run NIS. NFS works, but I'm quite unsure if I did it right: I couldn't figure out from the docs how to set access control correctly.My external interface is firewalled anyway, but still I want to have more than one security level, and I want to learn. Here's what I have found out and done: User has the same UID/GID on client and server. /etc/exports on server and /etc/fstab on client are OK. The server's /etc/inetd.conf I haven't changed for nfs. It has no entries for nfs, just: #:RPC: RPC based services /usr/share/doc/portmap/README.gz and the new HOWTO tell me to set in /etc/hosts.allow: portmap: my.sub.net.number/my.sub.net.mask mountd: my.sub.net.number/my.sub.net.mask lockd: my.sub.net.number/my.sub.net.mask statd: my.sub.net.number/my.sub.net.mask which I have done (I deny ALL:ALL in hosts.deny). On the server I have running: portmap, rpc.statd, inetd, [nfsd], [lockd], [rpciod], rpc.mountd On the client there is running (when nfs dirs are mounted): portmap, rpc.statd, [lockd], [rpciod] But a tcpdchk on the server tells me: "warning: /etc/hosts.allow, line 14: portmap: service possibly not wrapped warning: /etc/hosts.allow, line 15: mountd: no such process name in /etc/inetd.conf warning: /etc/hosts.allow, line 16: lockd: no such process name in /etc/inetd.conf warning: /etc/hosts.allow, line 17: statd: no such process name in /etc/inetd.conf" Yeah, they aren't. but why? how? should I? This isn't described anywhere I looked. This makes me feel very insecure Questions: Do I have the right stuff running on server and client (I guess so)? What goes in inetd.conf if anything? If not, and you are patient, would you please care to explain it to me? Are the portmap, mountd, statd and lockd in debian built to honor hosts.allow/deny, but still standalone (libwrap or something)? --------------- That would be awfully nice of you -- I did not vote for the Austrian government
