This might help get you started or give you some ideas. # # somewhere in the initscripts after portmap and nfs are running ... # perhaps in /etc/init.d/nfs-kernel-server # IFACE=eth1 NFSPORT=`rpcinfo -p | awk '/udp.*nfs$/ { print $4; }'` ipchains -A input -i $IFACE -p udp --destination-port $NFSPORT -j DENY
On Fri, Jan 26, 2001 at 11:20:12AM -0800, [EMAIL PROTECTED] wrote: > > hi > > > I've been dealing with this for a long time, and was curious if > anyone knows if it's possible. > > I want to force all RPC services to listen only on 1 interface, > it is VERY VERY difficult to firewall them as they apparently > choose random ports everytime they load which means i have to > spend 30 minutes running nmap both TCP and UDP ports 1-65535 and > verifying what ports are open with lsof and netstat and firewall > the rpc ones accordingly. this procedure works but it gets > old after a while :) so i wanna know if i can force rpc services > to bind to 1 interface, or force them to use the same ports > everytime(even if i restart NFS it uses new ports) the rpcs: > rpc.mountd, rpc.statd are the worst offenders for me.. sunrpc > is good and happily sits on port 111 ... > > luckily i don't reboot often but sometimes i need to reload > the /etc/exports file ......maybe i can do this without > reloading the nfs services..but that still doesn't solve the > problem as a whole :) i don't think its possible to run > rpcs from xinetd ..but if it is i'd like to know how. > > thanks!@ > > nate