Firewall Wizards mailing list archives
Re: FW-1 and RPC with MSDTC
From: Darren Reed <darrenr () reed wattle id au>
Date: Sat, 13 Jan 2001 04:32:18 +1100 (EST)
Sigh. I must be writing emails in Latin these days or new comers to networking don't know anything but Microsoft. Let me attempt to summarise the problems I'm seeing with Microsoft RPC through a firewall: - you can't control what port number an RPC service gets (you can only influence the range used for the random allocation) - you can't restrict access based on the RPC itself Let me contrast that with Sun RPC through FW-1: - you can't control what port number an RPC gets (it either choses or gets a random one) - you can resitrct access based on the RPC itself So I can block all NFS/file locking RPC requests at the firewall but still allow status requests. The reason you can do this is that each Sun RPC service is identified by an RPC number, eg: RPC Number Version Protocol Port Service 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100001 3 udp 61193 rstatd 100001 4 udp 61193 rstatd A service can notify the RPC manager which port number it is using (i.e. 2049 for nfs) or request one to be randomly assigned (i.e. 61193 for rstatd). That aside, if you want to allow rstatd through the firewall and only rstatd you can because you don't allow any other RPC lookups to succeed and neither do you have to allow (or restrict) what port is used because you can get it out of the RPC packets. Now if you can do all that with MS RPC packets too, someone please send me the docs on how to decode the "service number" or "service name" in the RPC-loc packets. It has got to be there, else the client end cannot talk to the server, I just don't know how...anyone, please ? :) IMHO, that knowledge base article is a complete wank unless you plan on running one RPC service per box. You can't do that ("20 port minimum") so the whole thing is really a waste of time so far as security is concerned. To reiterate, when I wrote a proxy for Microsoft's RPC I was not able to set up filtering on the RPC call itself, only decode the lookup and reply, looking for IP addresses and port numbers to remember for future use in client-server filtering. Darren In some email I received from Andrew Helm-Cowley, sie wrote:
The RPC port is randomly assigned by the RPC-loc request. You can restrict the ports that are used by editing the registry (microsoft Q article Q154596). By doing this you can lock RPC down to 20 ports (Microsoft minimum). Andrew -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Darren Reed Sent: Thursday, January 11, 2001 2:58 PM To: Michael Nelson Cc: jmegias () hyphop com; firewall-wizards () nfr net Subject: Re: [fw-wiz] FW-1 and RPC with MSDTC I think you've misunderstood the question. At least when one uses Sun RPC there is a "program number" (/etc/rpc) for each RPC service. FW-1 allows you to control access across the firewall based on the RPC number (it's encoded into the RPC packets). On the Microsoft front, I've no idea if they have a similar mechanism but I suspect they do. Afterall, how else do you get the right port number back to a query? The documentation in Samba provides some details and with some protocol analysis I was able to write a RPC proxy for IP Filter so I could firewall an Exchange server and still have things work without having to open up a bunch of ports for no good reason - only 137/tcp or whatever it is where those lookups happen. Darren In some email I received from Michael Nelson, sie wrote:That's because the RPC port number is random. See http://www.microsoft.com/com/wpaper/dcomfw.asp (written by yours truly) for more info. The info applies to RPC as well as DCOM. -mike On Tue, 9 Jan 2001, Javier Megias wrote:We're trying to get one server, that has IIS4 with MSDTC components talk with a SQL Server 7 database with MSDTC,that is in the other interfaceofthe firewall (checkPoint FW-1 SP3). It complains that it can't use RPCorthat the RPC call isn't working., so we're triying to find out what RPCappnumer we must use; have tried almost everything, and we can't get it to work. The IIS is inside a NT Domain, and the SQL Server 7 is inside a NT group. IIS ----------- FW-1 ------SQLServer7 I think that the fact could be that we don't really know how RPC really works :-) . Any wizard could light it? Thanks, Javier Megias_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Role of a Security Administrator Maddy (Jan 08)
- Re: Role of a Security Administrator Bennett Todd (Jan 08)
- Re: Role of a Security Administrator Webmaster (Jan 08)
- Re: Role of a Security Administrator Magosányi Árpád (Jan 08)
- FW-1 and RPC with MSDTC Javier Megias (Jan 10)
- Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 11)
- Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
- RE: FW-1 and RPC with MSDTC Andrew Helm-Cowley (Jan 12)
- Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
- Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)
- Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)
- FW-1 and RPC with MSDTC Javier Megias (Jan 10)
- <Possible follow-ups>
- Re: Role of a Security Administrator Harris Raymond D JR Civ AFAA/MSI (Jan 10)