Re: Is it possible to fix port ranges for NFS processes [mountd, nlockmgr,...] in T64 v. 5.x ? (514 Views)
Reply
Occasional Advisor
F. Javier Cobas
Posts: 19
Registered: ‎08-25-2005
Message 1 of 2 (570 Views)
Accepted Solution

Is it possible to fix port ranges for NFS processes [mountd, nlockmgr,...] in T64 v. 5.x ?

[ Edited ]

Hi all,

 

    "rpcinfo" reports the following ports opened in a Tru64 (v.5.1B) NFS server

 

  oneserver# rpcinfo -p  
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp    683  mountd
    100005    3   udp    683  mountd
    100005    1   tcp    689  mountd
    100005    3   tcp    689  mountd
    100003    2   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   udp   2049  nfs
    100003    3   tcp   2049  nfs
    100024    1   udp   1026  status
    100024    1   tcp   1024  status
    100021    1   tcp   1025  nlockmgr
    100021    2   tcp   1025  nlockmgr
    100021    3   tcp   1025  nlockmgr
    100021    4   tcp   1025  nlockmgr
    100020    3   tcp   1025  llockmgr
    100021    1   udp   1027  nlockmgr
    100021    2   udp   1027  nlockmgr
    100021    3   udp   1027  nlockmgr
    100021    4   udp   1027  nlockmgr
    100020    3   udp   1027  llockmgr
    100012    1   udp   1032  sprayd
    100068    2   udp   1033  rpc.cmsd
    100068    3   udp   1033  rpc.cmsd
    100068    4   udp   1033  rpc.cmsd
    100083    1   tcp   1028  rpc.ttdbserverd   

 

   But in other NFS server some of the ports used by the NFS protocol (nlockmgr, mountd, status ...etc.)  are different, (as usual for NFS v.2 and v.3)

 

    otherserver#  rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100012    1   udp   1032  sprayd
    100068    2   udp   1033  rpc.cmsd
    100068    3   udp   1033  rpc.cmsd
    100068    4   udp   1033  rpc.cmsd
    100083    1   tcp   1029  rpc.ttdbserverd
    105005    1   tcp   1030
    105004    1   udp   1034
    100005    1   udp    939  mountd
    100005    3   udp    939  mountd
    100005    1   tcp    945  mountd
    100005    3   tcp    945  mountd
    100003    2   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   udp   2049  nfs
    100003    3   tcp   2049  nfs
    100024    1   udp   2580  status
    100024    1   tcp   1422  status
    100021    1   tcp   1429  nlockmgr
    100021    2   tcp   1429  nlockmgr
    100021    3   tcp   1429  nlockmgr
    100021    4   tcp   1429  nlockmgr
    100020    3   tcp   1429  llockmgr
    100021    1   udp   2581  nlockmgr
    100021    2   udp   2581  nlockmgr
    100021    3   udp   2581  nlockmgr
    100021    4   udp   2581  nlockmgr
    100020    3   udp   2581  llockmgr
    105005    1   udp   4392

 

   Is it possible to fix the port ranges used by NFS protocol processes (portmapper,mountd, status ...)  in Tru64 UNIX v. 5.1B in order to let them through a firewall?.  

 

   In case this is not an option in Tru64,

   

        Which port ranges has to be reserved in the firewalls to be sure NFS traffic is not blocked?

        Which is the algorithm to choose a new free port for those NFS processes ?.

 

TIA, Javier.

Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 2 (514 Views)

Re: Is it possible to fix port ranges for NFS processes [mountd, nlockmgr,...] in T64 v. 5.x ?

Originally, all the SunRPC services (including the NFS services) except the portmapper used to use whatever random ports the OS gave them. The only way to know the current port numbers was to contact the portmapper service first, which would always be in port 111 and would know where the rest of the services are on the current host. The ability to use fixed port numbers is a later development, mostly because firewalls have become common.

 

In Tru64, the "nfs" service is always in port 2049, which is the standard convention. The "mountd" uses a privileged port by default, i.e. a port number that is less than 1024. The rest of the SunRPC servers use unprivileged ports, i.e. port numbers 1024 or greater. Usually, a service that needs an unprivileged port simply picks the first free port in the range of 1024 or greater at the time it starts up. The privileged ports have a specific OS version dependent port range (nnn..1023), and I don't know the specific privileged port range for Tru64.

 

Unfortunately, it looks like there is no way to specify fixed port numbers for NFS services in Tru64.

 

Some firewalls can solve this problem by snooping on the traffic of port 111. By analyzing the portmapper responses, the firewall can identify the service requested and learn which port the service is currently in, and then allow the connection to the appropriate port if the service is allowed in the firewall rules.

 

 

(If your firewall can do this,  it should have a way to specify firewall rules by either SunRPC service names or program ID numbers, instead of by TCP/UDP port numbers. You can find the known program IDs in the /etc/rpc file on your system.)

MK
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation