01-29-2013 12:11 AM
First, you'll need to configure fixed port numbers for the NFS-related services. You should do this on both on your NFS server and on all your NFS clients.
Depending on your HP-UX version, you may need to ensure that you have a specific patch installed:
11.31 - no patch required 11.23 - PHNE_34550 or superseding patch 11.11 - PHNE_34662 or superseding patch
Then you can add some lines to /etc/rc.config.d/nfsconf to specify fixed port numbers for the NFS-related services.
For example, these lines would fix lockd (nlockmgr) to port 4045, rpc.statd (status) to 4046 and rpc.mountd (mountd) to 4047:
STATD_PORT=4046 MOUNTD_PORT=4047 # in 11.31, lockd is always fixed to UDP port 4045 so this is not needed LOCKD_PORT=4045
After doing this and restarting your NFS services, they should be in fixed ports. Use "rpcinfo -p" to verify.
Once the services are bound to fixed ports, you can use external firewalls or the optional HP-UX IPFilter to restrict the connections to these ports to between your NFS server and legitimate NFS clients only. You'll also need to allow the portmapper/rpcinfo service (port 111, both TCP and UDP), since it is used to find the other NFS-related services (because the client will not know that you've specified fixed port numbers on the server, and vice versa).