I have tried unsuccessfully to get any response from IBM on the following, apparently unless you have a support contract you cant report bugs.. (well.. you can.. "Program Services", but thats a link to /dev/null apparently.) AixLevel AIX4.3.2 Packet Filtering Module, in particular the command genfilt does not allow the addition of filters with port numbers greater than 32767 genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 \ -c udp -o any -O eq -P 123 -l n -w I -i all Works fine... but... genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c udp \ -o any -O eq -P 32768 -l n -w I -i all Fails with: Bad destination port/ICMP type "32768". All is well if you use port 32767. Simply put, the -P (port) parameter will not accept an argument greater than 32767. Obviously there are a lot of things above 32768 that you might want to filter, e.g. rstatd. and other RPC programs, and also if I wanted to ensure that my users arent opening up any services that sit on high ports, they can circumvent any protection I layer on top by starting their service above 32767! As the AIX4.3.2 packet filtering module is based upon the commercial IBM firewall, I would be very interested to see if this weakness also exists in that product. I believe this opens up a security problem for anyone using the AIX filtering that wants to continue using RPC on an internal interface, but wishes to present only certain ports to an external side. Thanks, Brum.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:49 PDT