Tuesday, July 26, 2005

Unable to Specify Interface for TCP Portmapper

I'm crushed. Today while working on a FreeBSD system with multiple interfaces, I noticed the portmapper (rpcbind) listening where I didn't think it should be.

# sockstat -4 | grep rpcbind
root rpcbind 354 10 udp4 127.0.0.1:111 *:*
root rpcbind 354 11 udp4 10.0.0.1:111 *:*
root rpcbind 354 12 udp4 *:1007 *:*
root rpcbind 354 13 tcp4 *:111 *:*

The UDP version was listening on interface 10.0.0.1 as I expected. What was the TCP version doing listening on all interfaces? Also, what was port 1007 UDP doing?

I checked my /etc/rc.conf file to see if I had messed up the synatx.

rpcbind_enable="YES"
rpcbind_flags="-h 10.0.0.1"

That looked ok to me. I double-checked with /etc/defaults/rc.conf.

# grep "^rpcbind" /etc/defaults/rc.conf
rpcbind_enable="NO" # Run the portmapper service (YES/NO).
rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one.
rpcbind_flags="" # Flags to rpcbind (if enabled).

I finally looked at the man page and clarified the -h switch.

-h Specify specific IP addresses to bind to for UDP requests. This
option may be specified multiple times and is typically necessary
when running on a multi-homed host. If no -h option is speci-
fied, rpcbind will bind to INADDR_ANY, which could lead to prob-
lems on a multi-homed host due to rpcbind returning a UDP packet
from a different IP address than it was sent to. Note that when
specifying IP addresses with -h, rpcbind will automatically add
127.0.0.1 and if IPv6 is enabled, ::1 to the list.

OH NO. It only mentions UDP and not TCP. That's why I'm crushed. One of the characteristics I like about FreeBSD (and Unix in general) is the granular control over services enabled via simple text files. I should have been able to tell both UDP and TCP rpcbind versions to listen on a specified interface. That doesn't seem possible.

Now my only alternative is to firewall the interfaces where I do not want rpcbind to listen. That's a lousy solution in the Unix world. :(

3 comments:

Anonymous said...

I had the same fun trying to secure it on my laptop.

You can use tcpwrappers to lock down access, however IMHO anything hard binding to INADDR_ANY is inexcusable in this day and age.

It's not just rpcbind, there are other culprits.

I can point the finger at

Sambas nmbd,
isc dhcpd,
& Symon

To name a few, utterly ridiculous.

I do not want to have to rely exclusively on access control in the application doing the 'right' thing.

They shouldnt have their drawers round their metaphorical ankles in the 1st place.

Especially given the propensity of the ports system to update startup scripts which themselves do not utilise rc.conf properly.

It wouldnt be the 1st time I've seen something like mysql comeup on everything, after a hand hacked lockdown of it's startup script got nuked by portupgrade.





Greg

Anonymous said...

For what it's worth, this page is the first Google hit for "freebsd rpcbind bind to specific IP". I'm trying to set up FAM on a imap server on the public internet. It amazes me that there is no way to specify what interface that rpcbind sits on... I guess I'm going to have to resort to running ipfw and allowing only specific ports. Guh.

Richard Bejtlich said...

I just posted this PR:

http://www.freebsd.org/cgi/query-pr.cgi?pr=84494

>Category: bin
>Responsible: freebsd-bugs
>Synopsis: rpcbind TCP cannot be told to bind to a specific IP
>Arrival-Date: Tue Aug 02 20:40:08 GMT 2005