Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Re: portmap only for local interfaces
  • From: Philippe Vogel <filiaap@xxxxxxxxxx>
  • Date: Sun, 02 Oct 2005 17:38:41 +0200
  • Message-id: <433FFF01.5070406@xxxxxxxxxx>
Hash: SHA1

Henning Hucke schrieb:

> On Sun, 2 Oct 2005, Bruno Cochofel wrote:
>> When I do a netstat -tlnp I find that portmap LISTEN on port 111
>> to all interfaces. Hist this safe? Can I change the conf so that
>> only localhosts can connect?
> This portmapper is tcpwrapper enabled. So please read "man 5 \
> hosts_access".
> Since the tcpwrapper is quite simple it is a suitable tool.
> Nonetheless it would never be a replacement for a propper firewall
> rule set.
> Best regards Henning Hucke

Portmapper is only needed for nfs, mount-daemon and quotas (correct
this if I forgot things). So it can be disabled if it isn't needed!

Setting up portmapper listening on local host only is kind'a'
difficult (as I intended this as well for some servers). SuSEfirewall2
blocks this traffic as default.

It is recommended to use a firewall if you offer unprotected services
to the internet. If you don't have open ports a firewall is normally
not needed. Only an open port can be hacked. Don't compare Redmond
(TM) firewalls with linux - it's not the same. They want to immitate
iptables with kind'a' copy-effect and put a lot a lot more in it and
want to call this firewall (a firewall in it's meaning is a
portblocker - no more no less)!

If you think you get attacks each time you login:

If you use dial-in or dsl-connections you may get packets related to
an earlier connection from another user using the same IP you use.
This are normally no attacks to you.



- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Thunderbird -


< Previous Next >
Follow Ups