I'm crushed. Today while working on a FreeBSD system with multiple interfaces, I noticed the portmapper (rpcbind) listening where I didn't think it should be.
# sockstat -4 | grep rpcbind
root rpcbind 354 10 udp4 127.0.0.1:111 *:*
root rpcbind 354 11 udp4 10.0.0.1:111 *:*
root rpcbind 354 12 udp4 *:1007 *:*
root rpcbind 354 13 tcp4 *:111 *:*
The UDP version was listening on interface 10.0.0.1 as I expected. What was the TCP version doing listening on all interfaces? Also, what was port 1007 UDP doing?
I checked my /etc/rc.conf file to see if I had messed up the synatx.
rpcbind_enable="YES"
rpcbind_flags="-h 10.0.0.1"
That looked ok to me. I double-checked with /etc/defaults/rc.conf.
# grep "^rpcbind" /etc/defaults/rc.conf
rpcbind_enable="NO" # Run the portmapper service (YES/NO).
rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one.
rpcbind_flags="" # Flags to rpcbind (if enabled).
I finally looked at the man page and clarified the -h switch.
-h Specify specific IP addresses to bind to for UDP requests. This
option may be specified multiple times and is typically necessary
when running on a multi-homed host. If no -h option is speci-
fied, rpcbind will bind to INADDR_ANY, which could lead to prob-
lems on a multi-homed host due to rpcbind returning a UDP packet
from a different IP address than it was sent to. Note that when
specifying IP addresses with -h, rpcbind will automatically add
127.0.0.1 and if IPv6 is enabled, ::1 to the list.
OH NO. It only mentions UDP and not TCP. That's why I'm crushed. One of the characteristics I like about FreeBSD (and Unix in general) is the granular control over services enabled via simple text files. I should have been able to tell both UDP and TCP rpcbind versions to listen on a specified interface. That doesn't seem possible.
Now my only alternative is to firewall the interfaces where I do not want rpcbind to listen. That's a lousy solution in the Unix world. :(
0 komentar:
Posting Komentar