RPC services - bind to 1 ip?
hi I've been dealing with this for a long time, and was curious if anyone knows if it's possible. I want to force all RPC services to listen only on 1 interface, it is VERY VERY difficult to firewall them as they apparently choose random ports everytime they load which means i have to spend 30 minutes running nmap both TCP and UDP ports 1-65535 and verifying what ports are open with lsof and netstat and firewall the rpc ones accordingly. this procedure works but it gets old after a while :) so i wanna know if i can force rpc services to bind to 1 interface, or force them to use the same ports everytime(even if i restart NFS it uses new ports) the rpcs: rpc.mountd, rpc.statd are the worst offenders for me.. sunrpc is good and happily sits on port 111 ... luckily i don't reboot often but sometimes i need to reload the /etc/exports file ..maybe i can do this without reloading the nfs services..but that still doesn't solve the problem as a whole :) i don't think its possible to run rpcs from xinetd ..but if it is i'd like to know how. thanks!@ nate
Re: RPC services - bind to 1 ip?
This might help get you started or give you some ideas.
#
# somewhere in the initscripts after portmap and nfs are running ...
# perhaps in /etc/init.d/nfs-kernel-server
#
IFACE=eth1
NFSPORT=`rpcinfo -p | awk '/udp.*nfs$/ { print $4; }'`
ipchains -A input -i $IFACE -p udp --destination-port $NFSPORT -j DENY
On Fri, Jan 26, 2001 at 11:20:12AM -0800, [EMAIL PROTECTED] wrote:
hi
I've been dealing with this for a long time, and was curious if
anyone knows if it's possible.
I want to force all RPC services to listen only on 1 interface,
it is VERY VERY difficult to firewall them as they apparently
choose random ports everytime they load which means i have to
spend 30 minutes running nmap both TCP and UDP ports 1-65535 and
verifying what ports are open with lsof and netstat and firewall
the rpc ones accordingly. this procedure works but it gets
old after a while :) so i wanna know if i can force rpc services
to bind to 1 interface, or force them to use the same ports
everytime(even if i restart NFS it uses new ports) the rpcs:
rpc.mountd, rpc.statd are the worst offenders for me.. sunrpc
is good and happily sits on port 111 ...
luckily i don't reboot often but sometimes i need to reload
the /etc/exports file ..maybe i can do this without
reloading the nfs services..but that still doesn't solve the
problem as a whole :) i don't think its possible to run
rpcs from xinetd ..but if it is i'd like to know how.
thanks!@
nate
Re: RPC services - bind to 1 ip?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I've been dealing with this for a long time, and was curious if anyone knows if it's possible. I want to force all RPC services to listen only on 1 interface, it is VERY VERY difficult to firewall them as they apparently choose random ports everytime they load which means i have to spend 30 minutes running nmap both TCP and UDP ports 1-65535 and verifying what ports are open with lsof and netstat and firewall the rpc ones accordingly. this procedure works but it gets old after a while :) so i wanna know if i can force rpc services to bind to 1 interface, or force them to use the same ports everytime(even if i restart NFS it uses new ports) the rpcs: rpc.mountd, rpc.statd are the worst offenders for me.. sunrpc is good and happily sits on port 111 ... luckily i don't reboot often but sometimes i need to reload the /etc/exports file ..maybe i can do this without reloading the nfs services..but that still doesn't solve the problem as a whole :) i don't think its possible to run rpcs from xinetd ..but if it is i'd like to know how. There isn't a way that I know of to force the rpc services to bind specific IPs. If you find one I'd like to hear about it :) What I usually end up doing is setup a good default-deny firewall to keep things clean. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ckN//ZTSZFDeHPwRAuMqAKDHf+ePaYS5Mfa79bDNdJ5zmwre2gCgy2VI F8+Tqr0KoUGh1owuVOjSbaI= =Orag -END PGP SIGNATURE-
