Firewalls and RPC (was "Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)")

Chuck Swiger cswiger at
Thu Jan 11 21:32:55 UTC 2007

On Jan 11, 2007, at 12:54 PM, Garrett Cooper wrote:
>> It is typically not useful to implement firewall rules between NFS  
>> servers and legitimate NFS clients.
>> The large number of RPC services using randomly assigned ports  
>> needed by NFS and the fact that machines which trust each other  
>> enough to permit filesharing and generally utilize a common set of  
>> directory services to keep the user/group mappings synced mean  
>> that the NFS server & clients should be considered in the same  
>> "trust domain" in most cases.

> Right, ok. I suppose I was just being lazy/trying to blanket  
> support all machines on my subnet without having to delve into  
> individual hosts, but that makes perfect sense. rpcbind (and RPC in  
> general) strictly uses ports under 1023--assuming that there are  
> enough allocatable ports available for each RPC service in the port  
> range 1-1023--if running as root, does it not?

Actually, no.  While rpcbind/portmap/portmapper is assigned to 111/ 
tcp & udp, most other RPC services get assigned high port numbers in  
the 327xx range, but that varies considerably from platform to platform.

> Does the same rationale apply for Samba? That's part of the reason  
> why I'm concerned with running a firewall.. I run smbd/nmbd on the  
> server machine.

Somewhat, yes.  Samba/CIFS filesharing can require less trust between  
server and client as accessing a Samba share does not require  
superuser permissions, just limited user access, but Samba does  
require root access to start up and bind to the low ports it uses,  
and it also involves the "network browse master" (which nmbd can do)  
and so forth which involve subnet-oriented broadcast traffic.

Samba/CIFS is a chatty protocol.

> Either that, or I could switch to another firewall setup (albeit  
> it'd be sort of a pain). Does ipfw / pf work better with RPC than  
> IPFilter?

No, not really.  What you probably want to focus on is protecting  
your entire subnet, including the fileserver and clients, from  
malicious traffic via your Internet link(s), and then worry about  
egress filtering, dividing your machines into a trusted internal LAN  
and a semi-trusted DMZ, and so forth.

A firewall system should not be running any kind of filesharing;  
while you can run PF, IPFW, etc on your fileserver, that ought to be  
a secondary line of protection for "defense in depth", and your  
Internet connection ought to have a dual-homed or multihomed firewall  
machine which is dedicated to that role and which runs zero services.


More information about the freebsd-questions mailing list