HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- ipfilter and ypserv
Operating System - HP-UX
1833196
Members
2985
Online
110051
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2004 02:25 AM
05-03-2004 02:25 AM
ipfilter and ypserv
Hello all,
I am running HP-UX 11.00. How do I tell ipfilter to block NIS ypserv connections? ypserv is given a different port by portmap each time NIS starts.
I know about /etc/securenets but I am actually running NIS+ which doesn't use this file. I need to block all ypserv connections from out side of our subnet.
Any info will be appreciated.
Thanks,
Steven
I am running HP-UX 11.00. How do I tell ipfilter to block NIS ypserv connections? ypserv is given a different port by portmap each time NIS starts.
I know about /etc/securenets but I am actually running NIS+ which doesn't use this file. I need to block all ypserv connections from out side of our subnet.
Any info will be appreciated.
Thanks,
Steven
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2004 06:19 AM
05-03-2004 06:19 AM
Re: ipfilter and ypserv
Can't you lock ypserv to a port? From the man on ypserv:
" -p --port port
ypserv will bind itself to this port. This makes it possible to have a router filter packets to the NIS ports, so that access to the NIS server from hosts on the Internet can be restricted."
Then it should be easy to block them.
Ron
" -p --port port
ypserv will bind itself to this port. This makes it possible to have a router filter packets to the NIS ports, so that access to the NIS server from hosts on the Internet can be restricted."
Then it should be easy to block them.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2004 07:09 AM
05-03-2004 07:09 AM
Re: ipfilter and ypserv
I am actually running NIS+ and after talking with HP ITRC support, we could not come up with any way to lockdown the nisd daemon to a specific port. Acually, nisd listens on two ports because we are running NIS+ in YP-compatability. nisd seems to be getting its port numbers from RPC's portmapper. :(
Thanks,
Steven
Thanks,
Steven
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2004 03:51 AM
05-04-2004 03:51 AM
Re: ipfilter and ypserv
I have fixed the problem. I installed and comfigured IPFilters last night.
The problem is that other networks at our company could see our NIS+ domain. A security audit was performed a few weeks ago and it was found that our passwd file potentially could be read because we are running NIS+ in YP compatabiity mode. The reason we enabled this mode is because we have some Alphas running Tru64 which does not support NIS+. So, the normal NIS tricks like setting up an /etc/securenets file doesn't work with NIS+. Plus, I could not find a way (nor could HP) to lock down the ports that NIS+ uses.
I am now able to block just the two nisd ports eventhough the port numbers change each time NIS+ is started. I created a simple perl script that is called from the /sbin/init.d/nisplus.server start/stop script. The Perl script runs "rpcinfo -p | grep nisd", extracts the two port numbers, and writes a file called "/etc/ipf-nisplus.conf". The nisplus.server script then does an 'ipf -f /etc/ipf-nisplus.conf' in the start) section. Also, the nisplus.server script does an 'ipf -r -f /etc/ipf-nisplus.com' in the stop) section.
The /etc/ipf-nisplus.conf file looks like:
block in log from any to any port = 700
pass in from xxx.yyy.zzz.0/24 to any port = 700
block in log from any to any port = 701
pass in from xxx.yyy.zzz.0/24 to any port = 701
Of course, the port numbers will be different each time.
Does this kludge sound like a reasonable solution to the prblem?
Thanks,
Steven
The problem is that other networks at our company could see our NIS+ domain. A security audit was performed a few weeks ago and it was found that our passwd file potentially could be read because we are running NIS+ in YP compatabiity mode. The reason we enabled this mode is because we have some Alphas running Tru64 which does not support NIS+. So, the normal NIS tricks like setting up an /etc/securenets file doesn't work with NIS+. Plus, I could not find a way (nor could HP) to lock down the ports that NIS+ uses.
I am now able to block just the two nisd ports eventhough the port numbers change each time NIS+ is started. I created a simple perl script that is called from the /sbin/init.d/nisplus.server start/stop script. The Perl script runs "rpcinfo -p | grep nisd", extracts the two port numbers, and writes a file called "/etc/ipf-nisplus.conf". The nisplus.server script then does an 'ipf -f /etc/ipf-nisplus.conf' in the start) section. Also, the nisplus.server script does an 'ipf -r -f /etc/ipf-nisplus.com' in the stop) section.
The /etc/ipf-nisplus.conf file looks like:
block in log from any to any port = 700
pass in from xxx.yyy.zzz.0/24 to any port = 700
block in log from any to any port = 701
pass in from xxx.yyy.zzz.0/24 to any port = 701
Of course, the port numbers will be different each time.
Does this kludge sound like a reasonable solution to the prblem?
Thanks,
Steven
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP