rpcbind lingering on IP no longer specified on command line
stable at museum.rain.com
Fri Jan 6 19:24:14 PST 2006
On Fri, Jan 06, 2006 at 10:22:43AM -0500, Vivek Khera wrote:
> On Jan 6, 2006, at 4:40 AM, James Long wrote:
> >>Yeah, I noticed that little tiny "UDP requests" note in the -h docs
> >>too. There's no reason to bind to all tcp addresses, and it is
> >>causing me heartburn for getting the server certified...
> >Good grief, why not just firewall off the undesired UDP ports and call
> >it good?
> I guess we could take that band-aid approach... however, how do you
> know what port RPC decides to listen on other than the 111 port? It
> is more or less random. That makes it very difficult to firewall.
P-shaw. If you're enduring "heartburn for getting the server
certified" then firewall off the rpcbind service from unwanted
IPs and voila, you get your get your server certified and business
goes on. Then you'll have the luxury of time to debug the true
problem with rpcbind, and your testing is done behind the privacy
of your firewall.
As far as unpredictable listening ports opened by rpc, that is exactly
why a secure firewall opens only selected ports on selected IPs, and
blocks everything else. It doesn't matter if it listens on port X of
IP y when your firewall doesn't permit incoming connections on that
port and IP in the first place.
># sockstat | grep rpcbind
>root rpcbind 11382 5 stream /var/run/rpcbind.sock
>root rpcbind 11382 6 dgram -> /var/run/logpriv
>root rpcbind 11382 7 udp4 127.0.0.1:111 *:*
>root rpcbind 11382 8 udp4 192.168.100.200:111 *:*
>root rpcbind 11382 9 udp4 *:664 *:*
>root rpcbind 11382 10 tcp4 *:111 *:*
More information about the freebsd-stable