Once upon a time, Jesse Keating <jkeating@xxxxxxxxxx> said: > On Wed, 2009-01-21 at 18:48 -0600, Chris Adams wrote: > > That brings me back to RPC services though, which means NFS (which > > started all of this). Some of the NFS component services have fixed > > ports now (even though they still register with portmapper), such as > > nfsd (2049) and rquotad (875), but I believe that mountd, lockd, and > > statd all run on portmapper-assigned random ports. The only way to > > control access to them is currently TCP_wrappers. > > However each of these do allow you to set a specific port they'll run > on, so that you /can/ use iptables with them. I've been running them > that way for years. I saw that, but I haven't tried it myself. I guess they still register with portmapper (i.e. portmapper allows a program to require a specific port; I haven't done RPC programming in at least 10 years), since that appears to be how nfsd and rquotad work. It looks like the init scripts already support setting this (including for the kernel lockd using sysctl). Is there a reason to not go ahead and do that for Fedora 11? That would make recommending iptables instead of tcp_wrappers a lot easier. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
