tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NFS daemon port numbers for firewall config



mouse%Rodents-Montreal.ORG@localhost (Mouse) writes:

>SunRPC details to comment on CALLIT.  I _think_ it is useless if port
>111 is blocked, but I wouldn't trust my systems' security to that
>memory without checking it out first.)

The CALLIT procedure is provided by the service that runs on
port 111 (rpcbind). So nothing can happen if you block port 111.

Our implementation has a permanent UDP client socket opened for
the CALLIT procedure to proxy calls to other RPC services.
That socket is bound to a (privileged) ephemeral port and
may receive UDP packets from anywhere.

So, blocking UDP by default is required. But that should be
the setup for any host that needs to be protected.



Home | Main Index | Thread Index | Old Index