Peter Laws wrote:
On 04/23/10 20:01, Chris MacDermaid wrote:
Mike,
Port 111 is the sunrpc port. This is also know as the portmapper because
it provides a mapping between available services and their ports.
Port 111 isn't needed for LDM. From what I understand, a LDM client
first tries to connect to port 388. If that fails the client then tries
to connect using the portmapper service on port 111. In your case, it
appears the connection on port 388 is failing for some reason.
The port-mapping part of Remote Procedure Call was an idea from the
1980s/1990s where, rather than being limited to TCP and UDP ports (64k
of each) -- which were rapidly being eaten up with "known" services at
the time -- you could just have a port mapper that would accept a
connection on a single port (111), look at the requested service number
(see /etc/rpc for examples), and then assign the connection a random
port. Given that there were potentially thousands or millions of
procedures that you might want to call on other systems, this was sort
of mandatory.
NFS works this way and is still the bane of administrators. :-)
Fortunately, most distributions allow you to "pin" the various
NFS-related services to a specific port to make firewall configs simpler.
RPC, the whole thing, is still interesting, in that it allows exactly
what it says: calling a procedure on a remote system. Lots more detail
about RPC in Wikipedia but you'll also read that it's been mostly
obsoleted by other, similar protocols.
As noted, the default for LDM is now to use 388/tcp and 388/udp and only
use RPC (service 300029!) as a fall-back.
It's probably worth considering making it a compile-time or run-time
option to disable RPC entirely since most LDM servers don't seem to use it.
In fact, rpc can be disabled, and only tcp/388 is necessary for LDM.
For those who believe in security via obscurity, you can reassign the
LDM port when you start, and tell your users to request on that port (in
lmdm.conf). THis trick also works if you're enabling multiple LDMs on
the same machine, although for our shop, we set up a (really, 2) relay,
and then have dedicated smaller machines to handle the decoding, image
generation, filing, etc.
Amazing how this discussion is starting to sound like a bunch of OLD sys
admins, isn't it.
