https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265740#M569341 I have fixed the problem. I installed and comfigured IPFilters last night.<BR /><BR />The problem is that other networks at our company could see our NIS+ domain. A security audit was performed a few weeks ago and it was found that our passwd file potentially could be read because we are running NIS+ in YP compatabiity mode. The reason we enabled this mode is because we have some Alphas running Tru64 which does not support NIS+. So, the normal NIS tricks like setting up an /etc/securenets file doesn't work with NIS+. Plus, I could not find a way (nor could HP) to lock down the ports that NIS+ uses.<BR /><BR />I am now able to block just the two nisd ports eventhough the port numbers change each time NIS+ is started. I created a simple perl script that is called from the /sbin/init.d/nisplus.server start/stop script. The Perl script runs "rpcinfo -p | grep nisd", extracts the two port numbers, and writes a file called "/etc/ipf-nisplus.conf". The nisplus.server script then does an 'ipf -f /etc/ipf-nisplus.conf' in the start) section. Also, the nisplus.server script does an 'ipf -r -f /etc/ipf-nisplus.com' in the stop) section.<BR /><BR />The /etc/ipf-nisplus.conf file looks like:<BR /><BR />block in log from any to any port = 700<BR />pass in from xxx.yyy.zzz.0/24 to any port = 700<BR />block in log from any to any port = 701<BR />pass in from xxx.yyy.zzz.0/24 to any port = 701<BR /><BR />Of course, the port numbers will be different each time.<BR /><BR />Does this kludge sound like a reasonable solution to the prblem?<BR /><BR />Thanks,<BR />Steven<BR /> Tue, 04 May 2004 10:51:30 GMT Steven Whatley 2004-05-04T10:51:30Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265737#M569338 Hello all,<BR /><BR />I am running HP-UX 11.00. How do I tell ipfilter to block NIS ypserv connections? ypserv is given a different port by portmap each time NIS starts. <BR /><BR />I know about /etc/securenets but I am actually running NIS+ which doesn't use this file. I need to block all ypserv connections from out side of our subnet.<BR /><BR />Any info will be appreciated.<BR /><BR />Thanks,<BR />Steven<BR /><BR /> Mon, 03 May 2004 09:25:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265737#M569338 Steven Whatley 2004-05-03T09:25:05Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265738#M569339 Can't you lock ypserv to a port? From the man on ypserv:<BR /><BR />" -p --port port<BR />ypserv will bind itself to this port. This makes it possible to have a router filter packets to the NIS ports, so that access to the NIS server from hosts on the Internet can be restricted."<BR /><BR />Then it should be easy to block them.<BR /><BR />Ron<BR /><BR /> Mon, 03 May 2004 13:19:35 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265738#M569339 Ron Kinner 2004-05-03T13:19:35Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265739#M569340 I am actually running NIS+ and after talking with HP ITRC support, we could not come up with any way to lockdown the nisd daemon to a specific port. Acually, nisd listens on two ports because we are running NIS+ in YP-compatability. nisd seems to be getting its port numbers from RPC's portmapper. :(<BR /><BR />Thanks,<BR />Steven<BR /> Mon, 03 May 2004 14:09:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265739#M569340 Steven Whatley 2004-05-03T14:09:50Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265740#M569341 I have fixed the problem. I installed and comfigured IPFilters last night.<BR /><BR />The problem is that other networks at our company could see our NIS+ domain. A security audit was performed a few weeks ago and it was found that our passwd file potentially could be read because we are running NIS+ in YP compatabiity mode. The reason we enabled this mode is because we have some Alphas running Tru64 which does not support NIS+. So, the normal NIS tricks like setting up an /etc/securenets file doesn't work with NIS+. Plus, I could not find a way (nor could HP) to lock down the ports that NIS+ uses.<BR /><BR />I am now able to block just the two nisd ports eventhough the port numbers change each time NIS+ is started. I created a simple perl script that is called from the /sbin/init.d/nisplus.server start/stop script. The Perl script runs "rpcinfo -p | grep nisd", extracts the two port numbers, and writes a file called "/etc/ipf-nisplus.conf". The nisplus.server script then does an 'ipf -f /etc/ipf-nisplus.conf' in the start) section. Also, the nisplus.server script does an 'ipf -r -f /etc/ipf-nisplus.com' in the stop) section.<BR /><BR />The /etc/ipf-nisplus.conf file looks like:<BR /><BR />block in log from any to any port = 700<BR />pass in from xxx.yyy.zzz.0/24 to any port = 700<BR />block in log from any to any port = 701<BR />pass in from xxx.yyy.zzz.0/24 to any port = 701<BR /><BR />Of course, the port numbers will be different each time.<BR /><BR />Does this kludge sound like a reasonable solution to the prblem?<BR /><BR />Thanks,<BR />Steven<BR /> Tue, 04 May 2004 10:51:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter-and-ypserv/m-p/3265740#M569341 Steven Whatley 2004-05-04T10:51:30Z