On Mon, 7 Jan 2008, Erich Newell wrote:
> 1) Why do you have a service listening on this port if you intend to
> block all traffic to it?
TCP/111 is listening on an internal interface (eth1) but blocked on eth0.
Lame, but RPC does not seem to have a method of binding the daemon to a
specific interface only.
> 2) Are there any other services that might be exposed if iptables are
> reset? or is sunrpc the only one?
RPC is the only one. Other services (like SSH) are not exposed if iptables
fails because they are configured to only listen on an internal interface.
> 3) What logs do you have with normal operation?
I have iptables logging what it rejects/drops. Of course, the regular
syslog stuff too.
> If you have a log of the normal start and stop but not the unexpected
> start and stop, and only *one* additional service is being exposed,
> then it sounds like something nefarious to me. Seriously.
Any unnecessary services being exposed are unacceptable.
> A final thought: How are you setting your iptables rules? Also, are
> you using an explicit DROP statement at the top?
No, iptables reads top-down. Thus, my config has explicit ACCEPT
statements for the stuff I want exposed, then an explicit REJECT statement
at the end. Putting a blanket DROP literally as the first statement would
kill all communications to/from the server.
--
~Jay
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)