Red Hat Bugzilla – Bug 4558
Portmapper Deosn't obey *names* in hosts.allow/deny
Last modified: 2008-05-01 11:37:51 EDT
The man page clearly states that portmapper looks to hosts.deny and hosts.allow for access control on both IP addresses, subnets, and domain and subdomain names. This is true, exect that it pays NO ATTENTION to names. This can be easily verified against a better behaving in.ftpd. wuftp obeys both names and IP address specifications, but names simply mistify portmapper (causing portmapper to disregard the entire entry(!)). This is a big security problem, because the man page is wrong and misleads people to think that they are denying very common things like NFS, when they in fact aren't! I see that portmapper has some other similar bug reports, but I think this problem is more general, and effects everyone.
RPC services such as portmap by default does not do name lookups to avoid deadlocks. Therefore only network number patterns will work for portmap access control. Example: /etc/hosts.allow: portmap: your.sub.net.number/your.sub.net.mask portmap: 255.255.255.255 0.0.0.0 /etc/hosts.deny portmap: ALL: (/some/where/safe_finger -l @%h | mail root) & Try using IP's instead of names and also you can turn on verbose logging by running portmap with the -v switch and then viewing what may be going wrong in /var/log/messages. The above information was found in /usr/doc/portmap-4.0/README.