Re: NFS packet blocking (Was Mouse EXPLOIT info...)

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> > port 2049 is the NFS port ( normally UDP but the TCP port should be
> > blocked too as some newer NFS implementations support TCP ...)
> > blocking it at your router should ( I think ) block all NFS attacks

Not if your portmapper supports PMAPPROC_CALLIT.

> Sun's NFS implementation always used TCP as well as UDP

Not the SunOS 4.1.2 machines here, certainly; both rpcinfo -p and
netstat list only UDP.  Nor has any older version I have any experience
with ever supported NFS over TCP.

> Blocking tcp/udp 2049 will not prevent *ALL* NFS attacks -- you might
> still be able to get the fh's through source routed requests to
> rpc.mountd

Why bother with source routing?  If the ports are blocked, source
routing won't help; if not, there's no need for it.

Unless you want to forge your IP address, which is orthogonal.

> UDP doesn't have an IP_OPTIONS, thus doesn't support source routing.)

Um, I strongly suggest you check out things like this with the RFCs
before speaking.  UDP, like TCP, is built on top of IP, and thus is
perfectly capable of using IP options like source routing.

> if NFS is filtered at the router, you will be able to send "unlink"
> requests (using the fh's you have)

Um?  If NFS is filtered, how do you propose to get your packets past
the filter?  Or are you postulating a filtering setup stupid enough to
block NFS traffic one way but not the other?

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu