port 2049 & NFS

I thought NFS used port 2049. But I've stumbled onto something that
seems strange to me---I'm a network novice.

I have a small LAN at home. My SuSE box is connected to a Linksys
router. Static IPs are assigned on the LAN side.

I also have a 12" Apple Powerbook G4 set up as a dual boot: OS X and
Yellow Dog Linux (which you may know is essentially a port of RH 9). I
have exported 3 directories on my SuSE box. But I got a mount: RPC:
Timed out" message when I tried to connect from YDL using NFS v3. I
experimented a bit and found that I could connect by commenting out the
following 2 lines in /etc/sysconfig/iptables:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT

The strange thing is that NFS works even though the next two lines are
still in /etc/sysconfig/iptables:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT

In fact, the output of "iptables -L | grep nfs" is:
REJECT tcp -- anywhere anywhere tcp dpt:nfs
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs
reject-with icmp-port-unreachable

Is my confusion warranted, or am I missing something? And am I correct
in thinking that I have greatly compromised security by commenting out
the lines having to do with ports 0:1023?

Thanks.

Hi Newsman,

you wrote:
> I thought NFS used port 2049. But I've stumbled onto something that
> seems strange to me---I'm a network novice.

A Sun RPC-Service can be bound to any port dynamicly. However they often
prefer one and some implementations might rely on a fixed port being
available. For NFSv2 this is the port 2049 as you noticed.

> Timed out" message when I tried to connect from YDL using NFS v3. I
> experimented a bit and found that I could connect by commenting out the
> following 2 lines in /etc/sysconfig/iptables:
>
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
>
> The strange thing is that NFS works even though the next two lines are
> still in /etc/sysconfig/iptables:
>
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT

NFSv3 registered on another port. See the output of "rpcinfo -p
hostname".


> Is my confusion warranted, or am I missing something? And am I correct
> in thinking that I have greatly compromised security by commenting out
> the lines having to do with ports 0:1023?

Yes, it is quite generic. You might want to limit the permission UDP
port 111 (portmapper) and maybe other RPC services needed by NFS
registering in the port range. Since the port assignment is mostly
reproducable over multiple system starts you can use the port numbers
reported by rpcinfo for the rules. Just keep in mind that the port
numbers may change.
Furthermore it might be a wise choice to limit the access to a certain
range of IP numbers. The RPC services had and still may have various
vulnerabilities beside the general information leakage by the
portmapper.


Michael

--
Linux@TekXpress
http://www-users.rwth-aachen.de/Mich...kxp/tekxp.html

Michael Mueller wrote:
> Hi Newsman,
>
> you wrote:
>
>>I thought NFS used port 2049. But I've stumbled onto something that
>>seems strange to me---I'm a network novice.
>
>
> A Sun RPC-Service can be bound to any port dynamicly. However they often
> prefer one and some implementations might rely on a fixed port being
> available. For NFSv2 this is the port 2049 as you noticed.
>
>
>>Timed out" message when I tried to connect from YDL using NFS v3. I
>>experimented a bit and found that I could connect by commenting out the
>>following 2 lines in /etc/sysconfig/iptables:
>>
>>-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
>>-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
>>
>>The strange thing is that NFS works even though the next two lines are
>>still in /etc/sysconfig/iptables:
>>
>>-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
>>-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
>
>
> NFSv3 registered on another port. See the output of "rpcinfo -p
> hostname".
>
>
>
>>Is my confusion warranted, or am I missing something? And am I correct
>>in thinking that I have greatly compromised security by commenting out
>>the lines having to do with ports 0:1023?
>
>
> Yes, it is quite generic. You might want to limit the permission UDP
> port 111 (portmapper) and maybe other RPC services needed by NFS
> registering in the port range. Since the port assignment is mostly
> reproducable over multiple system starts you can use the port numbers
> reported by rpcinfo for the rules. Just keep in mind that the port
> numbers may change.
> Furthermore it might be a wise choice to limit the access to a certain
> range of IP numbers. The RPC services had and still may have various
> vulnerabilities beside the general information leakage by the
> portmapper.
>
>
> Michael
>

Hi Michael.

Thanks for the informative reply. The output of rpcinfo -p for the
laptop running Yellow Dog Linux 3.0 is:

program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32768 status
391002 2 tcp 32769 sgi_fam

Not much there. But I was thinking of adding the following lines to
/etc/sysconfig/iptables:

-A INPUT -s <my.ip.address.here> -p tcp -m tcp --dport 0:1023 --syn -j
ACCEPT
-A INPUT -s <my.ip.address.here> -p udp -m udp --dport 0:1023 -j ACCEPT

That should improve security a bit, right?

Thanks again.