HOWTO: Dynamically Set IPFilter Rules for RPC Services

/howto-dynamically-set-ipfilter-rules-for-rpc-services 2007-09-07T13:32:42+01:00

I'll admit now, none of this work is mine: all credit needs to go to Borgan Chu and Shawn Ferry. All this post is doing is making it easier to find all the relevant information as it's scattered around a bit.

Many people implement firewalls for security reasons, and many people encounter the one nightmare with firewalls that is RPC services, e.g. NFS. The problem with RPC services is that they use dynamic ports when they run. This makes it a bit of a nightmare to configure the respective ports as they're likely to change everytime the host reboots or the service restarts.

You could open up a whole range of ports (32767-32850), but this isn't particularly secure and has the drawback that other RPC services are also open too, not just the one particular service you're trying to use.

A common alternate approach to this is to use intelligent firewall software like SunScreen (now EOL) or Checkpoint Firewall-1 (costs $$) which allow you to specify the RPC service and it takes care of things. This can be a bit of an overkill for a server that is running the desired RPC service, and acting as a firewall to itself.

With the introduction of Solaris 10 came IPFilter built into Solaris 10, and accordingly many people are looking to do the same thing with Solaris. Why pay for something when you can have it for free?

Borgan Chu came up with a script (I can't find the original) which essentially took the output from "rpcinfo -p" on boot up and created the appropriate IPFilter rules. This worked a treat on bootup, but had several limitations, which Shawn Ferry discusses and resolves in "Dynamic Ipfilter Rules for RPC Services via SMF".

Unfortunately, Shawn didn't provide all the scripts he uses in his solution when discussing it on his blog, but he did post them on the security-discuss forum at opensolaris.org sometime last year. Locating these was a bit challenging, but I've done just this and made this post to make it easier for you.

In order to implement Shawn's solution, you need to download the following files (I've copied them locally):

ipfilter_rpcbind - This is the service method. Place in /lib/svc/method/
ipfilter_rpcbind.cfg - This is an example config file. Customize and place in /etc/ipf/
ipfilter_rpcbind.xml - This is the service manifest. Place in /var/svc/manifest/application/

Next, import the manifest:

# /usr/sbin/svccfg -v import \
/var/svc/manifest/application/ipfilter_rpcbind.xml

Set the services you want to watch for refresh:

# /usr/sbin/svccfg -s ipfilter:rpcbind setprop \
"rpc_services/entities = fmri: (`/usr/bin/svcs -H \
\*rpc\* \*nis\* \*nfs\* | awk '$NF !~ /bind:default|ipfilter/ \
{ print $3 }'`)"

Refresh the service:

# /usr/sbin/svcadm refresh ipfilter:rpcbind

You should now have SMF and IPFilter working in tandem to dynamically add the necessary IPFilter configuration in order to use your specified RPC service through the firewall on the local machine.

This method has one major limitation - it only takes into account the RPC services running on that machine. Accordingly, you can't use this method for a host that is exclusively an IPFilter firewall that is situated between two hosts using an RPC service.

It is important to remember that IPFilter is not yet as advanced as some of the more intelligent applications like SunScreen and Checkpoint Firewall-1. You will need to assess you needs and other options, like NFSv4 if you're trying to pass NFS through the firewall, before committing on IPFilter.

Copyright © 2005 - 2018 Colin Seymour All rights reserved. Privacy Policy.
Check out the feed if you do the RSS/Atom thing.