Red Hat Bugzilla – Bug 4558
Portmapper Deosn't obey *names* in hosts.allow/deny
Last modified: 2008-05-01 11:37:51 EDT
The man page clearly states that portmapper looks to
hosts.deny and hosts.allow for access control on both
IP addresses, subnets, and domain and subdomain names. This
is true, exect that it pays NO ATTENTION to names. This can
be easily verified against a better behaving in.ftpd. wuftp
obeys both names and IP address specifications, but names
simply mistify portmapper (causing portmapper to disregard
the entire entry(!)). This is a big security problem,
because the man page is wrong and misleads people to think
that they are denying very common things like NFS, when they
in fact aren't! I see that portmapper has some other
similar bug reports, but I think this problem is more
general, and effects everyone.
RPC services such as portmap by default does not do name lookups to
avoid deadlocks. Therefore only network number patterns will work for
portmap access control.
portmap: 255.255.255.255 0.0.0.0
portmap: ALL: (/some/where/safe_finger -l @%h | mail root) &
Try using IP's instead of names and also you can turn on verbose
logging by running portmap with the -v switch and then viewing what
may be going wrong in /var/log/messages.
The above information was found in /usr/doc/portmap-4.0/README.