Re: NFS daemon port numbers for firewall config

[mlelstv%serpens.de@localhost (Michael van Elst)]

campbell+netbsd-tech-net%mumble.net@localhost (Taylor R Campbell) writes:

>An NFS server has various daemons listening on various ports:

>- kernel listens for nfs protocol on port 2049
>- rpcbind(8) listens for portmapper protocol on port 111

>- rpcbind(8) also listens for rpcbind protocol on a dynamically chosen
>  port

rpcbind == portmapper. There is only the portmapper protocol on
port 111.


>- mountd(8) listens for mount protocol on a port that can be chosen
>  with `-p', or on a port dynamically chosen by rpcbind(8)

The port is always chosen by the service. rpcbind is used to register
it, so clients can query the port from the (program,version,protocol)
triple.


>- rpc.lockd, statd, quotad all use dynamically chosen ports

SunRPC uses dynamic ports that are registered with rpcbind. The
only fixed port is 111 for rpcbind itself.

nfsd uses the fixed port 2049 for historical reasons, nobody
ever implemented it with a dynamic port, even when SunRPC would
allow that.

For firewalling a static port is easier. That's why mountd started
to offer a static port too. The other protocols (lock/stat/quota)
are rarely used through a firewall.

Real firewalls inspect the portmapper protocol, learn about what
ports get registered and automatically allow sessions to the registered
ports.

NFSv4 got rid of all the SunRPC details. It uses only a single
services (for nfs, mount, locking, etc..) on the static port 2049
for everything. No rpcbind involved.


>How does one configure a firewall to limit this traffic, e.g. to allow
>NFS traffic only from one network interface and not others?

You configure firewalls to limit traffic between networks, not interfaces.


>One can restrict ports 2049 and 111, and set a fixed port number for
>mountd, but even if one don't run lockd/statd/quotad there's still the
>dynamic rpcbind port.

There is no such thing.

What you see are _client sockets_ used by rpcbind.

daemon   rpcbind     1262    6* internet6 dgram udp *:sunrpc
daemon   rpcbind     1262    7* internet6 dgram udp *:1023     <---
daemon   rpcbind     1262    8* internet6 stream tcp *:sunrpc
daemon   rpcbind     1262    9* internet dgram udp *:sunrpc
daemon   rpcbind     1262   10* internet dgram udp *:1023     <---
daemon   rpcbind     1262   11* internet stream tcp *:sunrpc
daemon   rpcbind     1262   12* internet6 dgram udp c5bd9700

That are dynamic ephemeral privileged ports used by the CALLIT
procedure to send out RPC calls to other services.


>I think all of these daemons should maybe have a `-p <port>' option
>like mountd(8) so an admin can predetermine the port numbers and bake
>them into npf.conf.

Yes. Linux e.g. allows this.

I think the idea was to run these services from inetd (which can also 
launch SunRPC services).


> And maybe there should be a way to disable new
>registrations in rpcbind(8) and use only a set of saved ones.

The SunRPC protocol is meant to be dynamic. Starting a service
means that it needs to register its port with rpcbind. Prevnting
registration means to prevent the start of a service.


>Am I missing any existing way to do this?

Maybe you can limit access to /var/run/rpcbind.sock, so that
only trusted users can register ports.