Discussion:
Filter rules for RPC based services
(too old to reply)
Edgar Fuß
2012-09-13 16:33:42 UTC
Permalink
When writing (ipf) filter rules for a machine running RPC based services,
is there any sane way to allow incoming traffic to the relevant ports?

I currently guess a range for both NFS locking (lockd/statd) and quota
(rquotad) and yesterday found NLM being blocked by the packed filter
because I had mis-guessed the port range.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ignatios Souvatzis
2012-09-17 05:40:19 UTC
Permalink
Post by Edgar Fuß
When writing (ipf) filter rules for a machine running RPC based services,
is there any sane way to allow incoming traffic to the relevant ports?
As far as I know (I didn't look up the documentation):

I think the only fixed ports are tcp/udp 111 for contacting that service.

NFS happens to be fixed to tcp/udp ports 2049, but that's not the normal
case.

rpcinfo to the serverhost will show you the registered servers.

Regards,
-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Lloyd Parkes
2012-09-17 06:28:15 UTC
Permalink
Post by Edgar Fuß
When writing (ipf) filter rules for a machine running RPC based services,
is there any sane way to allow incoming traffic to the relevant ports?
I suspect that you would have to do it the same way that ftp is supported by ipf and that is to write a proxy for rpcbind so that you can find out what ports are required on the fly.

Cheers,
Lloyd
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Edgar Fuß
2012-09-17 09:21:57 UTC
Permalink
Post by Lloyd Parkes
write a proxy for rpcbind
I think it would suffice if one could give RPC program numbers in ipf.conf
and rpcbind would notify ipf which ports it assigned.
Only my skills probably don't suffice for implementing that.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...