RPC program high end ports

gs_kanata
gs_kanata used Ask the Experts™
on
I ran the "rpcinfo -p" to list all the rpc programs and their associated ports on local host.

program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100011    1   udp  32905  rquotad
    100145    1   tcp  49163  scadmd
    100533    1   tcp  49164  scrcmd
    100281    1   tcp  49165  metacld
    100024    1   udp  32906  status
    100024    1   tcp  49166  status
    100133    1   udp  32906
    100133    1   tcp  49166
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
 536873113    1   tcp  49167
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    100005    1   udp  32907  mountd
    100005    1   tcp  49168  mountd
    100005    2   udp  32907  mountd
    100005    2   tcp  49168  mountd
    100005    3   udp  32907  mountd
    100005    3   tcp  49168  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl

For high end ports like those for mountd, are they dynamic or static. I am writing an IPFilter rule to allow remote traffic to some of those ports. If they are static, then my rule should be easy. Otherwise, I don't know how to tackle it. For instance, mountp uses 49168 port and if it is always 49168, I could let just add it to the rule file.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Check this,

http://unix.derkeiler.com/Mailing-Lists/SunManagers/2004-05/0099.html

Which version of OS you are using?

Author

Commented:
I am using Solaris 10.

Commented:
Use NFS v4 (which is available in Solaris 10), "mountd" and "lockd"
are obsolete. NFS v4 uses the well-defined port 2049, thus improving
firewall support.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
It is the NFS v4 on my Solaris 10 as I found the following two entries in /etc/default/nfs

#NFS_SERVER_VERSMIN=2
#NFS_SERVER_VERSMAX=4

The port 2049 is shown in the list. However, for command "showmount",  it needs to access high end port other than 2049.
Brian UtterbackPrinciple Software Engineer

Commented:
Of the ones you have listed, 4045, 2049 and 111 are pre-assigned, the others are dynamic and could change. As mentioned above, the difficulty of dealing with this in firewalls was one of the reasons that NFS V4 combined the NFS, NLOCK and mount protocols into a single protocol with a well known port.

Author

Commented:
But the NFS on my machine is the NFS V4. Is it configured in the wrong way? How to check?
Brian UtterbackPrinciple Software Engineer

Commented:
Use the dfshares command.
Brian UtterbackPrinciple Software Engineer

Commented:
I don't think that is going to work either. The dfshares command seems to use the old mount protocol too. Oh well.

Commented:
NFS Version 4 solves the issue by eliminating
the Mount protocol, and mandating that the server
will listen on port 2049. This means that NFS
Version 4 clients do not need to contact the
portmapper, and do not need to access services on
floating ports, making firewall configuration as
simple as configuration for HTTP.

Please open the port 2049 in firewall and see if you get any issues.

Author

Commented:
The port 2049 is opened even without limitted to tcp protocal

bash-3.00# ipfstat -ion | grep 2049
@12 pass in quick on e1000g4 from any to any port = 2049

Client Address:      10.200.16.600
Server Address:      10.200.16.168

On client machine, I run the “showmount” command as:
# showmount -e 10.200.16.168
showmount: 10.200.16.168: RPC: Rpcbind failure - RPC: Timed out

On server side, snoop capture the incoming traffic as:

# snoop -d e1000g4 10.200.16.600
Using device e1000g4 (promiscuous mode)
10.200.16.600 -> bk1          PORTMAP C GETPORT prog=100005 (MOUNT) vers=1 proto=TCP

Jan 27 20:01:56 nas1a  ipmon[17123]: [ID 702911 local0.notice] 20:01:56.093707 e1000g4 @0:12 p 10.200.16.600,60660 -> 10.200.16.168,111 PR udp len 20 84 IN

Then after open the 111 rpc port, it comes to the dynamic port which is different on different machine.

Commented:
execute "nfsstat -m" on both server and client and paste the results here...

Author

Commented:
Client side:

/remote_disk from 10.200.16.168:/export/home/storage
 Flags:         vers=4,proto=tcp,sec=sys,hard,intr,link,symlink,acl,rsize=1048576,wsize=1048576,retrans=5,timeo=600
 Attr cache:    acregmin=3,acregmax=60,acdirmin=30,acdirmax=60

Sever side:

Nothing returen

Commented:
can you paste the output of /var/svc/log/network-nfs-client:default.log
and /var/svc/log/network-nfs-server:default.log while executing your above steps (showmount and snoop).

Also, check if all the nfs service are up

svcs -a | grep nfs

Author

Commented:
Client:

# tail -f  network-nfs-client:default.log
[ Aug  4 20:07:08 Executing start method ("/lib/svc/method/nfs-client start") ]
[ Aug  4 20:07:09 Method "start" exited with status 0 ]
[ Aug  4 20:08:27 Executing start method ("/lib/svc/method/nfs-client start") ]
[ Aug  4 20:08:27 Method "start" exited with status 0 ]
[ Sep 21 12:22:13 Executing start method ("/lib/svc/method/nfs-client start") ]
[ Sep 21 12:22:13 Method "start" exited with status 0 ]
[ Sep 24 10:33:37 Executing start method ("/lib/svc/method/nfs-client start") ]
[ Sep 24 10:33:37 Method "start" exited with status 0 ]
[ Sep 24 11:09:56 Executing start method ("/lib/svc/method/nfs-client start") ]
[ Sep 24 11:09:57 Method "start" exited with status 0 ]

# svcs -a | grep nfs
disabled       Sep_24   svc:/network/nfs/server:default
online         Sep_24   svc:/network/nfs/mapid:default
online         Sep_24   svc:/network/nfs/cbd:default
online         Sep_24   svc:/network/nfs/status:default
online         Sep_24   svc:/network/nfs/nlockmgr:default
online         Sep_24   svc:/network/nfs/client:default
online         Sep_24   svc:/network/nfs/rquota:default

Server:

# tail -f  network-nfs-server:default.log
[ Jan 25 15:01:24 Method "stop" exited with status 0 ]
[ Jan 25 15:01:24 Executing start method ("/lib/svc/method/nfs-server start") ]
[ Jan 25 15:01:24 Method "start" exited with status 0 ]
[ Jan 25 15:01:24 Stopping because all processes in service exited. ]
[ Jan 25 15:01:24 Executing stop method ("/lib/svc/method/nfs-server stop 85") ]
[ Jan 25 15:01:24 Method "stop" exited with status 0 ]
[ Jan 25 15:01:24 Disabled. ]
[ Jan 25 15:18:51 Enabled. ]
[ Jan 25 15:18:51 Executing start method ("/lib/svc/method/nfs-server start") ]
[ Jan 25 15:18:51 Method "start" exited with status 0 ]

# svcs -a | grep nfs
disabled       Jan_27   svc:/network/nfs/cbd:default
disabled       Jan_27   svc:/network/nfs/client:default
online         Jan_27   svc:/network/nfs/mapid:default
online         Jan_27   svc:/network/nfs/status:default
online         Jan_27   svc:/network/nfs/nlockmgr:default
online         Jan_27   svc:/network/nfs/rquota:default
online         Jan_27   svc:/network/nfs/server:default

Author

Commented:
Server side nfs, above is from another machine with same configurations. Anyway, there is no change on service up and down during test.

# /var/svc/log # svcs -a | grep nfs
disabled       Jan_25   svc:/network/nfs/cbd:default
disabled       Jan_25   svc:/network/nfs/client:default
online         Jan_25   svc:/network/nfs/mapid:default
online         Jan_25   svc:/network/nfs/status:default
online         Jan_25   svc:/network/nfs/nlockmgr:default
online         Jan_25   svc:/network/nfs/rquota:default
online         Jan_25   svc:/network/nfs/server:default

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial