We've had portmapper (port 111) blocked from outside access on our LDM
machines for more than a year now and that has not hindered anyone from
feeding from our LDM. The only side effect is that blocking it doesn't
stop the remote LDM from trying to access it before defaulting to 388.
In fact it tries a good number of times. Because our setup logs all
denied connections this generates several hundred excess messages in our
logs each day (which we have to filter out)
--
David Wojtowicz, Sr. Research Programmer
Department of Atmospheric Sciences
University of Illinois at Urbana-Champaign
on 5/15/2001 3:43 PM, Anne Wilson at anne@xxxxxxxxxxxxxxxx wrote:
> Jeff Wolfe wrote:
>>
>> Hi folks,
>>
>> I'm sure everyone is aware of the ever increasing number of worms and other
>> security compromises that are happening on the 'net these days. The local
>> security folks here want to put a blanket filter on our internet
>> connection for inbound port 111. The idea is that by filtering port 111, they
>> make it just a bit harder for the various miscreants to find vulnerable RPC
>> services.
>>
>> I'm trying to understand what effects that will have on our LDM servers. I
>> vaguely remember running ldm for a while without having the /etc/rpc file
>> edited properly, but that was a long time ago. I'm thinking we'll be able to
>> connect to other servers, but nobody will be able to connect to us.
>>
>> Longer term, has anyone considered what will happen with LDM as firewalls,
>> proxy servers and other security measures become more prevalent? RPC isn't
>> the
>> most firewall friendly protocol ever invented.
>>
>> -JEff
>
>
> Hi Jeff,
>
> The LDM does not require that port 111 be available as long as port 388
> is available, like others have said. If port 388 was not available,
> then a remote LDM would try to contact the portmapper on port 111. If
> neither are available it will give up.
>
> Regarding the longer term, sure we're considering security issues. But,
> the current design has served us well. Lots of our sites have firewalls
> and run with no problem as long as port 388 is open.
>
> Regarding being "firewall friendly", technically, the LDM is not an RPC
> service because it doesn't require the portmapper. Instead, it is a
> "TCP service that uses RPC protocol encoding." That is, it establishes
> the service on a fixed TCP port that clients try directly.
>
> Anne
