tech-security: Binding RPC services to specific ports

Subject: Binding RPC services to specific ports
To: None <tech-security@NetBSD.org>
From: Luke Mewburn <lukem@NetBSD.org>
List: tech-security
Date: 07/18/2005 13:21:48

--mvzZjokS1nTZS3h1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all:

A feature that I've often desired is the ability to force
specific RPC services to be bound to specific TCP/IP ports.

I'd prefer a generic solution to this rather than hacking
each rpc daemon to support a "hardcode this port".

I did a little bit of research and found that IRIX 6.5.20
added /etc/rpcports -- as documented in their rpcports(4) at:
	http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=3D0650&db=3Dma=
n&fname=3D/usr/share/catman/p_man/cat4/rpcports.z

The syntax of IRIX's /etc/rpcports is each line is
	program  transport  port  access
(or empty or a comment line starting with '#')

Each line:
	program		RPC program number (see rpc(4)), or the
			capitalized keyword ANY.
	    [NetBSD uses rpc(5)]

	transport	Transport name, either udp or tcp.
	    [NetBSD also supports udp6/tcp6 ?]

	port		Port, or port range expressed as a pair of
			ports separated only by a ``-'' character,
			without any space or tab characters.
			A port is specified numerically.
	    [Couldn't we support port names here?]

	access		Whether the port or port range is available,
			either ``allow'' or ``deny''.
		=09

Do people know of other prior art in this area?

Comments about adding this style of functionality to NetBSD?

Cheers,
Luke.

--mvzZjokS1nTZS3h1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFC2yBMpBhtmn8zJHIRAtc3AKDAtpKelETZUXsZaKI2EKzJU5BzRQCfW/mQ
k6GiblWLR7pA6TOvCsT/P5Q=
=3TsS
-----END PGP SIGNATURE-----

--mvzZjokS1nTZS3h1--