IPMI & portrange
Danny Braniss
danny at cs.huji.ac.il
Tue Sep 26 23:03:38 PDT 2006
> On Tue, Sep 26, 2006 at 01:53:44PM -0700, John Polstra wrote:
> > On 26-Sep-2006 Danny Braniss wrote:
> > > This keeps bitting me every other upgrade, IPMI on some
> > > hosts, if enabled, will steal packets to port 623 or 664, so
> > > the current solution is either set net.inet.ip.portrange.lowlast
> > > to 664, (for some reason this does not seem to work if done via
> > > loader.conf) or change it in sys/netinet/in.h.
> > >=20
> > > So, is there some way to blacklist some ports, instead
> > > of increasing portrange.lowlast?
> >=20
> > You could use your favorite scripting language to create a socket,
> > bind it to the port, listen on it, and just sit there doing nothing
> > -- for each port you want to blacklist. That would keep the ports
> > from being used by anything else.
>
> Extending the internal service functionality of inetd might be a good
> approach for this sort of thing. The current method of service matching
> based on port and protocol could be augmented with the ability to
> connect arbitrary "internal" services to arbitrary ports, perhaps via
> arguments to the "internal" command. Then you could hook discard to
> ports you don't want to use.
>
> -- Brooks
Some ip traffic is generated earlier, tfpt/dhcp/dns/nfs, which
ruins my initial thaught of putting the list in loader.rc or something -
in a diskless environment there is a chicken and egg problem.
danny
More information about the freebsd-net
mailing list