The portmap service is a dynamic port
assignment daemon for RPC services such as NIS and NFS. It has weak
authentication mechanisms and has the ability to assign a wide
range of ports for the services it controls. For these reasons, it
is difficult to secure.
Securing portmap only affects NFSv2 and
NFSv3 implementations, since NFSv4 no longer requires it. If you
plan to implement a NFSv2 or NFSv3 server, then portmap is required, and the following section
If running RPC services, follow these basic rules.
It is important to use TCP wrappers to limit which networks or
hosts have access to the portmap service
since it has no built-in form of authentication.
Further, use only IP addresses when
limiting access to the service. Avoid using hostnames, as they can
be forged via DNS poisoning and other methods.
To further restrict access to the portmap service, it is a good idea to add IPTables
rules to the server and restrict access to specific networks.
Below are two example IPTables commands that allow TCP
connections to the portmap service
(listening on port 111) from the 192.168.0/24 network and from the
localhost (which is necessary for the sgi_fam service used by Nautilus). All other packets are dropped.
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP
Refer to Chapter 7 Firewalls for
more information about implementing firewalls with IPTables