[nylug-talk] constant port number for rstatd?
Chris Knadle
Chris.Knadle at coredump.us
Tue Dec 25 15:39:07 EST 2007
On Tuesday 25 December 2007, C Thala wrote:
> On Dec 24, 2007 6:37 PM, Chris Knadle <Chris.Knadle at coredump.us> wrote:
> > On Monday 24 December 2007, Brian Gupta wrote:
> > > Can you explain why you want this? Is it a firewall issue?
> >
> > It shouldn't be, or if it is it should be part of a LAN<->LAN firewall
> > issue: rstatd (and all RPC services, really, IIRC) is meant for use on
> > the local network, not the internet.
>
> This is between machines on our LAN.
>
> Our default network settings on our LAN is to block *everything* but
> ICMP and then allow only what is absolutely necessary (usually SSH,
> HTTP, and HTTPS).
IMHO, a good security policy starts off with Default Deny.
> Having rstatd run on [random] port everytime it starts is very painful
> with these network settings.
>
> Before anyone asks, no, changing the default firewall settings is not
> an option. This is not too restrictive.
Passing thought I had was whether it would be possible to allow rstatd to
pass via TOS rules [Type Of Service] or other very specific firewall rules...
but these are features that the common cheap firewalls don't have.
> While most of our machines are
> Linux boxes, we have enough Windows machines (and public web servers
> as well) in the mix to not want to open up our LAN traffic to
> everything else on the LAN. Can't be too paranoid nowadays.
Yeah. It's a good idea not to rely on only the external firewall +
related "border controls". The chain is only as strong as the weakest link,
and these days with VPNs connecting offices it can be a good idea to restrict
unnecessary protocols even "internally".
-- Chris
--
Chris Knadle
Chris.Knadle at coredump.us
More information about the nylug-talk
mailing list