Re: PIXen spewing udp packets at port 111?!

["Mordechai T. Abzug" <morty () frakir org>]

On Tue, Jan 07, 2003 at 02:30:49PM -0500, R. DuFresne wrote:

> Thanks for the reply.  Are you suggesting that the webhosts, indeed
> sun boxen, might be initiating the udp exchange with the gateway of
> the PAT'ed addresses behind it?

> My understanding, and it's a tad dated, and might be outdated, is
> that it's near to impossible <hoop jumping and kernel hacks if I
> recall> to tune out RPC on solaris, which is better trained via
> filtering and such.  Is this still valid understanding, or dated?
> solaris 6 and 7 at present, with considerations of solaris 9 in some
> future context.

[Assuming you're talking about RPC portmap clients, since RPC portmap
servers can be killed by renaming /etc/rc2.d/S71rpc.]

RPC as a client can be in the kernel (ie. NFS) but is usually in a
userland process.  Turning off portmap client requests (without
filtering) can sometimes by done in the client config.  If you're not
sure who is generating the portmap requests, why not fire up a sniffer
(ie. Solaris' snoop) and see if your clients really are generating
them?

- Morty
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards