Understanding the Portmapper

Understanding the Portmapper

Most TCP/IP servers work by attaching themselves to a port, which is set by convention to a single value. For instance, Simple Mail Transfer Protocol (SMTP) servers bind themselves to port 25, and Hyptertext Transfer Protocol (HTTP, aka Web) servers use port 80. These servers usually can use nonstandard ports, but most servers use the conventional port numbers so that clients can connect to them without having to be configured to use a nonstandard port. NFS, though, is one of a class of protocols that works slightly differently: It uses what's known as the portmapper, which is a utility that binds to a fixed port (111), monitors the ports that specific servers use, and directs clients to use the correct ports. (NFS generally uses UDP port 2049, but NFSv3 may use TCP port 2049.) This whole process is closely related to the Remote Procedure Call (RPC) services, of which NFS is one example. The portmapper handles RPC services.

The portmapper is implemented in a program called portmap . This program is normally started as part of your network startup script, or in a startup script of its own. Although it doesn't normally operate via a super server like inetd , recent versions of the portmapper can use TCP Wrappers. You can substantially improve your NFS server's security by blocking access to the portmapper except by computers that should be allowed access to it. The following line placed in /etc/ hosts .deny will restrict portmapper access:

 portmap : ALL 

You can then loosen access to the portmapper by entering the IP addresses of computers or networks that should have access to NFS and other RPC services into /etc/hosts.allow :

 portmap : 192.168.1. 

NOTE

Chapter 4 includes a discussion of TCP Wrappers configuration, including the allowable forms of client specifications. You shouldn't specify clients by hostname in the case of the portmapper, though, because hostname lookups can cause portmap activity. Thus, in looking up the hostname, portmap can be called again, which causes another hostname lookup, and so on. This sort of infinite loop will, of course, get you nowhere while consuming lots of CPU time. Instead of using hostnames, use IP addresses or IP address fragments .

Starting the portmapper isn't enough to serve files via NFS. In addition to defining the directories you want to share (as described in the next section, "Serving Files with NFS"), you must start the NFS server itself. This is normally done by a SysV startup script called nfs or something similar. Some distributions require you to start two or more SysV startup scripts (in addition to the portmapper) to get NFS working. These scripts will probably run automatically when you boot after installing the NFS server package. If you change your configuration, you may need to call the NFS SysV startup script with the restart option, as in /etc/rc.d/init.d/nfs restart .