[686] in bugtraq
Re: NFS packet blocking (Was Mouse EXPLOIT info...)
daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Jan 20 12:00:08 1995
To: jsz@ramon.bgu.ac.il (jsz)
Cc: rafi@tavor.openu.ac.il (Rafi Sadowsky), dwilliss@tnt.microimages.com,
bugtraq@fc.net
In-Reply-To: Your message of "Fri, 20 Jan 1995 14:48:39 +0200."
<9501201248.AA09445@ramon.bgu.ac.il>
Date: Fri, 20 Jan 1995 16:05:59 +0100
From: Casper Dik <casper@fwi.uva.nl>
>Sun's NFS implementation always used TCP as well as UDP -- a better
>idea would be to block portmapper (111 udp/tcp) as well as NFS ---
>but it depends on how paranoid you wish to be.
Sun's NFS implementation has never used TCP, only UDp.
Mountd does use TCP.
>Blocking tcp/udp 2049 will not prevent *ALL* NFS attacks -- you might still
>be able to get the fh's through source routed requests to rpc.mountd (which
>might run on TCP & UDP ports), but it won't give you any access -- you can never
>retrieve any data, because you can't get a reply send back to you (you'd
>need to fake the src address to get a reply, but you won't pass the filters
>if you want the reply.. UDP doesn't have an IP_OPTIONS, thus doesn't support
>source routing.)
>
>if NFS is filtered at the router, you will be able to send "unlink" requests
>(using the fh's you have) but it will only cause damage, which is still
>dangerous enough.
Not necessarily. If you block all requests destined for port 2049
in an inbound filter, faked packets won't get through, no matter
what the source address is.
Casper
