asked on 5/24/2018

why does nfsv4 client open an extra port ? how to close it if it is actually useless ?

why does nfsv4 client open an extra port ? how to close it if it is actually useless ?

hello, all

i'm working with an ubuntu ( xenial ) bunch of servers and need to understand why mounting an nfs v4 share opens a random port on the client side. the port has no associated process and seems to be directly open by the nfs kernel module. the port is closed if i unmount and a different one is opened if i remount the share. no traffic ever hits that port neither when mounting nor afterwards ( possibly because the share is read-only ).

nmap reports the port ( the number ????? changes from time to time using an apparently random high range port ) as :

PORT STATE SERVICE VERSION
?????/tcp open fmproduct 1-4 (RPC #1073741824)

as far as i remember, nfsv4 does not need a port mapper to work so i don't really get the point of whatever RPC service is open on the client side. is that correct ?

if the above is correct, anybody knows how to instruct ubuntu not to open that port ?
( please don't tell me to use the firewall or hosts.deny : i do not want the port to be open in the first place )

thanks all

Linux * Network File System (NFS)OS Security

Last Comment

skullnobrains

6/9/2018

skullnobrains

5/24/2018

ASKER

closing the port with the firewall ( for the sake of testing ) apparently does not prevent the mount from occurring.
tcpdump shows no connection attempt ( sniffing the traffic originating from the server on the client )

this is a recap of sniffed packets while performing unmount + mount + list directory operations

      3 IP depl101.lab.hbs.lan.58669 > nas-dist.depl.pra.hbs.lan..nfs: Flags [.],
      1 IP depl101.lab.hbs.lan.58669 > nas-dist.depl.pra.hbs.lan..nfs: Flags [F.],
      1 IP depl101.lab.hbs.lan.58669 > nas-dist.depl.pra.hbs.lan..nfs: Flags [P.],
      1 IP depl101.lab.hbs.lan.58669 > nas-dist.depl.pra.hbs.lan..nfs: Flags [S],
     42 IP depl101.lab.hbs.lan.686 > nas-dist.depl.pra.hbs.lan..nfs: Flags [.],
      1 IP depl101.lab.hbs.lan.686 > nas-dist.depl.pra.hbs.lan..nfs: Flags [F.],
   1133 IP depl101.lab.hbs.lan.686 > nas-dist.depl.pra.hbs.lan..nfs: Flags [P.],
     12 IP depl101.lab.hbs.lan.689 > nas-dist.depl.pra.hbs.lan..nfs: Flags [.],
    170 IP depl101.lab.hbs.lan.689 > nas-dist.depl.pra.hbs.lan..nfs: Flags [P.],
      1 IP depl101.lab.hbs.lan.689 > nas-dist.depl.pra.hbs.lan..nfs: Flags [S],
      1 IP nas-
      1 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.58669: Flags [.],
      1 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.58669: Flags [F.],
      1 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.58669: Flags [P.],
      1 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.58669: Flags [S.],
     10 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.686: Flags [.],
      1 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.686: Flags [F.],
   1133 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.686: Flags [P.],
     11 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.689: Flags [.],
    169 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.689: Flags [P.],
      1 IP nas-dist.depl.pra.hbs.lan..nfs > depl101.lab.hbs.lan.689: Flags [S.],

Open in new window

notice that every SYN packet is sent by depl101 ( nfs client ) to nas-dist (server ) on the NFS port

the extra opened port ( actually ports since it changes when unmounting + remounting ) do not even appear in the sniffed traffic

ASKER CERTIFIED SOLUTION

robocat

5/24/2018

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

skullnobrains

5/24/2018

ASKER

confirmed, thanks : changing sysctl fs.nfs.nfs_callback_tcpport changes the port

i clearly do not want the corresponding behavior in this context

would you happen to know how to disable the feature altogether client-side ?

robocat

5/25/2018

I’m not sure if you can disable this, but I don’t see the need. If the firewall blocks the callback port, nfs will detect this and automatically disable delegations.

skullnobrains

5/26/2018

ASKER

my goal is to prevent programs from opening sockets and run as privileged users unless there is an actual need. i have no time to fully audit but am reluctant to trust the delegation mechanism to be even mildly difficult to exploit somehow and do not want to rely on the firewall to block loopback connections.

thanks for your help so far. i'll close this thread once i'll have time to find a decent/dumb way to achieve my secondary goal. and obviously accept your answer. thanks.

SOLUTION

skullnobrains

5/30/2018

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

skullnobrains

6/9/2018

ASKER

i REALLY thought i had closed this question weeks ago.

i guess the sliding semi-transparent ad-like windows10-UI-like confirmation not-a-window was too weird for me to figure out i was supposed to click "next" ... which i was reluctant to do, since next involves a series of different clicks and questions.