Re: Tracking down TCP & UDP listeners

To: netbsd-users%netbsd.org@localhost
Subject: Re: Tracking down TCP & UDP listeners
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Thu, 17 Nov 2016 06:06:21 +0000 (UTC)

Scott.Burns%SeQent.Com@localhost ("Scott Burns") writes:

>1) Can you tell "nfs" on 7.0.2 to listen only on a specific NIC card IP?
>	Ie. port 2049

        memset(&hints, 0, sizeof hints);
        hints.ai_flags = AI_PASSIVE;
        hints.ai_family = cfg_family[t];
        hints.ai_socktype = cfg_socktype[t];
        hints.ai_protocol = cfg_protocol[t];

        ecode = getaddrinfo(NULL, "nfs", &hints, &cfg->ai);

>2) Ditto above for portmapper?
>	Ie. port 111

        (void)memset(&hints, 0, sizeof hints);
        hints.ai_flags = AI_PASSIVE;
        hints.ai_family = si.si_af;
        hints.ai_socktype = si.si_socktype;
        hints.ai_protocol = si.si_proto; 
        if ((aicode = getaddrinfo(NULL, servname, &hints, &res)) != 0) {

Both listen to the wildcard address. You can make rpcbind ("portmapper")
to listen only to the loopback address, but for an NFS server that's
impractical as the clients need to query it to find the ports used
by the other NFS services.

>3) Any idea what is listening on TCP and UDP for ports 1021, 1022, 1023?

These are privileged ports that could be used by anything, the
ports are dynamically assigned.

>	- Yellowpages / NIS?
>	- Can this listener be disabled if we determine we are not using
>what the listener is for?

Apparently depends on the listener. If this is related to NFS
then you have:

	- mountd
	- rpc.lockd
	- rpc.statd

mountd is needed if you run a nfs server. mountd lets you
specify the port number it tries to use.

rpc.lockd/rpc.statd are used for NFS file locking (something
that our NFS client code doesn't understand, but other clients
may want to use). Neither let you set a fixed port, but
if you don't need file locking, you don't have to start them.

There could be other, less common, NFS related services (e.g.
rpc.quotad) too. But have no implementation.

All these protocols support TCP and UDP, that's why you see
listeners for either protocol.

Commercial firewalls usually provide a proxy ("ALG") for
the portmapper protocol and allow access to the dynamic
ports on-demand.

If you only have simple port filters, then
- don't use NFS file locking
- bind mountd to a fixed port
- allow clients to access ports 111,2049 and whatever
  you chose for mountd.
- depending on the clients you must allow the udp variants.

NFSv4 removed all that complexity, all services are now
multiplexed on a single port (usually 2049/tcp).

-- 
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."

References:
- Tracking down TCP & UDP listeners
  - From: Scott Burns

Prev by Date: Re: Tracking down TCP & UDP listeners
Next by Date: IPv6 routing(?)
Previous by Thread: Re: Tracking down TCP & UDP listeners
Next by Thread: IPv6 routing(?)
Indexes:

Home | Main Index | Thread Index | Old Index