Why not configure portmapper to listen on localhost, then have the
services (mountd, ypserv, etc.) that need it enable listening on the
wire when they start? You'd need a cooperative arrangement whereby the
init scripts would shut down external portmapper if they were the last
service that needed it on service shutdown.
Of course, you can argue that an admin that is configuring NFS
or NIS should understand the security implications and other
requirements of these services, but we don't live in a perfect world.
and therefore be able to
On Mon, 2003-08-25 at 08:45, rhldevel(a)assursys.co.uk wrote:
On Mon, 25 Aug 2003, Bill Nottingham wrote:
> rhldevel(a)assursys.co.uk (rhldevel(a)assursys.co.uk) said:
> > Which local processes? We've already heard about sgi_fam, and we already
> > know about NIS and NFS, but is this really worth leaving it listening on
> > external interfaces in a _default_ install?
>
> Set up a firewall, as is the default in the install...
Certainly, and allowing easy configuration of Linux's IP filtering
functionality at install time was a very responsible move by RH.
But to a lot of naïve users, firewalls are deeply technical things, that
they worry will interfere with normal usage. As a result, I believe a number
of such users will install with the firewall disabled, or stop it when
attempting to get things working - perhaps never to (re-)enable it. Having
things like X11, portmapper and rpc.statd listening on an external interface
is asking for trouble, IMHO.
> Bill
Best Regards,
Alex.
--
Rhl-devel-list mailing list
Rhl-devel-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/rhl-devel-list --
Howard Owen "Even if you are on the right
EGBOK Consultants track, you'll get run over if you
hbo(a)egbok.com +1-650-339-5733 just sit there." - Will Rogers