|
Replies:
9
-
Last Post:
Jul 7, 2006 8:11 AM
by: jarrett
|
|
|
Posts:
123
From:
TW
Registered:
6/15/05
|
|
|
|
ipf and rpc port, how?
Posted:
Feb 28, 2006 4:10 AM
|
|
Hi all,
I wonder if there is a way to configure ipf to pass in traffic to rpc services by rpc program number or some other keywords,
since some of rpc services don't have well-known port numbers?
Thanks!
Ivan.
|
|
|
Posts:
2,060
From:
Registered:
6/8/05
|
|
|
|
Re: ipf and rpc port, how?
Posted:
Mar 9, 2006 2:56 PM
in response to: ivwang
|
|
This capability is a well known feature-gap. There is a proxy, of sorts, in the IPFilter source code at present, but it is of questionable integrity. If you're interested in getting your hands dirty, you're more than welcome to try it out and do some work on it (including rewrite from scratch.)
Darren
|
|
|
|
|
Posts:
89
From:
US
Registered:
3/9/05
|
|
|
|
Re: ipf and rpc port, how?
Posted:
Mar 10, 2006 12:28 PM
in response to: ivwang
|
|
To add to what Darren has said, the need for this feature is tracked by the following bug:
6223938 RFE: Need a SunRPC proxy for ipfilter
The existing proxy actually can be invoked with ipnat rules like this:
map eri0 0/0 -> 192.1.1.1/32 proxy port 111 rpcbu/udp
but it probably won't work and is definitely not well tested and is not supported.
You can look at the source for the ipfilter proxies here:
http://cvs.opensolaris.org/source/xref/on/usr/src/common/ipf/
The current rpbbind proxy is ip_rpcb_pxy.c, but is known to really be inadequate.
Thanks,
Paul
|
|
|
|
|
Posts:
123
From:
TW
Registered:
6/15/05
|
|
|
|
Re: ipf and rpc port, how?
Posted:
Mar 17, 2006 12:29 AM
in response to: ivwang
|
|
Thanks Darren and Paul,
I don't know if I interpreted the rpc proxy you mentioned correctly.
It looks to me that to use the rdr rule to protect ephemeral RPC port, one have to block all in on public interface first, then use rdr to selectively redirect incoming connection to the actual port to implement access control. Is it the case?
This looks a bit of circuitous to me. And to identify a specific RPC server, port number is still needed to write such a rdr rule.
In my straight and simple thinking, do you think it is better to insert corresponding filtering rule via some ipf API in rpcbind when an rpc service register itself? Though in this case, the RPC filtering rules would probably not all reside in the monolithic ipf.conf.
Thanks,
Ivan.
|
|
|
|
|
Posts:
89
From:
US
Registered:
3/9/05
|
|
|
|
Re: ipf and rpc port, how?
Posted:
Mar 17, 2006 2:10 PM
in response to: ivwang
|
|
That example above is an ipnat.conf rule, not an ipf.conf rule. The proxies in ipnat.conf do understand protocols. If you want to play around, use the ftp proxy, which is well supported and well tested. If your firewall rules have port 21 allowed and also an ftp proxy rule, try running PASV ftp. You'll see that the ephemeral ports are opened up for this connection.
As far as the RPC proxy, like we said, it probably doesn't work well and needs work and is not supported. I agree, you need to be able to specify and RPC program number in order for it to be granular enough to be really worthwhile. The example syntax was given in case you wanted to look at it and improve it :)
For the non-forwarding, on-host case, a custom proxy that listens to bind requests and uses the IPfilter API sounds like a good idea. I don't know too much about how that works, but Darren may have more to say on it. With OpenSolaris, a public /usr/included/netinet/ip_nat.h header file is included in order to create custom ipfilter proxies. I'm not really too familiar with the API, though, except that I know some customers are using it right now. Perhaps someone else can comment on the documentation for this API?
Thanks,
Paul
|
|
|
|
|
Posts:
3,422
From:
Austin, TX, USA
Registered:
6/15/05
|
|
|
|
Re: ipf and rpc port, how?
Posted:
Apr 10, 2006 10:10 AM
in response to: pwernau
|
|
Perhaps the binder APIs could be made to update the filter by way of a socket option?
|
|
|
|
|
Posts:
6
From:
Virginia
Registered:
7/6/06
|
|
|
|
Re: ipf and rpc port, how?
Posted:
Jul 6, 2006 10:19 AM
in response to: ivwang
|
|
About the same time that you posted this response I wrote up my solution to this type of problem.
Taking a script which parsed the output of rpcinfo -p and converting it into a SMF service causing it to run when any of the selected RPC services changes state.
Dynamic Ipfilter Rules for RPC Services
|
|
|
|
|
Posts:
6
From:
Virginia
Registered:
7/6/06
|
|
|
|
Re: ipf and rpc port, how?
Posted:
Jul 6, 2006 10:31 AM
in response to: sferry
|
|
|
|
For some reason I couldn't attach files to the first reply...
The attached files are an:
example config place in /etc/ipf
service method place in /lib/svc/method
service manifest place in /var/svc/manifest/application
Import the manifest:
/usr/sbin/svccfg -v import /var/svc/manifest/application/ipfilter_rpcbind.xml
Set the services you want to watch for refresh:
/usr/sbin/svccfg -s ipfilter:rpcbind setprop "rpc_services/entities = fmri: (`/usr/bin/svcs -H \*rpc\* \*nis\* \*nfs\* | awk '$NF !~ /bind:default|ipfilter/{ print $3 }'`)"
Refesh the service:
/usr/sbin/svcadm refresh ipfilter:rpcbind
|
|
|
|
|
Posts:
44
From:
Registered:
7/4/06
|
|
|
|
[Security-discuss] Looking for TX extension install documentation
Posted:
Jul 6, 2006 5:57 PM
in response to: sferry
|
|
Does anyone know where there is some good install / configuration
documentation for the new Trusted Extensions? I've gone over the
included documentation, but I think I need do do a bit more reading
when it comes to labeled zones.
Thank You
Robert Bailey
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
78
From:
Registered:
2/22/06
|
|
|
|
Re: [Security-discuss] Looking for TX extension install documentation
Posted:
Jul 7, 2006 8:11 AM
in response to: a226716
|
|
Robert Bailey wrote:
>
> Does anyone know where there is some good install / configuration
> documentation for the new Trusted Extensions? I've gone over the
> included documentation, but I think I need do do a bit more reading
> when it comes to labeled zones.
I believe the install instruction comes with Solaris Express (SX) 07/06
download. Maybe we should
put the instructions on opensolaris website as well. BTW, an
architecture document of Solaris Trusted
Extensions was put on opensolaris website recently under Trusted
Extensions project.
Thanks.
Jarrett
>
> Thank You
> Robert Bailey
>
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris dot org
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
