Re: NFS daemon port numbers for firewall config

To: tech-net%netbsd.org@localhost
Subject: Re: NFS daemon port numbers for firewall config
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Sat, 20 Apr 2024 01:33:05 -0000 (UTC)

mouse%Rodents-Montreal.ORG@localhost (Mouse) writes:

>SunRPC details to comment on CALLIT.  I _think_ it is useless if port
>111 is blocked, but I wouldn't trust my systems' security to that
>memory without checking it out first.)

The CALLIT procedure is provided by the service that runs on
port 111 (rpcbind). So nothing can happen if you block port 111.

Our implementation has a permanent UDP client socket opened for
the CALLIT procedure to proxy calls to other RPC services.
That socket is bound to a (privileged) ephemeral port and
may receive UDP packets from anywhere.

So, blocking UDP by default is required. But that should be
the setup for any host that needs to be protected.

References:
- NFS daemon port numbers for firewall config
  - From: Taylor R Campbell
- Re: NFS daemon port numbers for firewall config
  - From: Lloyd Parkes
- Re: NFS daemon port numbers for firewall config
  - From: Mouse

Prev by Date: Re: NFS daemon port numbers for firewall config
Next by Date: Re: NFS daemon port numbers for firewall config
Previous by Thread: Re: NFS daemon port numbers for firewall config
Next by Thread: Re: NFS daemon port numbers for firewall config
Indexes:

Home | Main Index | Thread Index | Old Index