Description of problem: Most network-listening daemons in Fedora can be instructed to bind to the loopback interface only. Portmap is an exception. This is a particular problem on desktop installations where the file alteration monitor (fam) needs portmap (on servers, one may simply remove portmap if it isn't needed). FAM seems to be on the path to removal in the next, or subsequent Fedora Core releases; but until then, I believe that a modified portmap package should be shipped. I've created a patch which adds a "-l" switch to portmap, instructing it to bind 127.0.0.1 only. Also, I have changed the init-script to look for a /etc/sysconfig/portmap script and honor whatever $OPTIONS exist there, when starting the daemon; in addition, I have added a /etc/sysconfig/portmap file consisting of one line: OPTIONS="-l" This means that portmap will not listen on publicly exposed interfaces by default, in line with other recent Fedora/Red Hat changes, such as sendmail's default loopback-only behaviour (and X's ditto?). I know that portmap access can be restricted, using hosts.allow/hosts.deny, but that doesn't help much if a security bug is found in the code initially accepting portmap trafic. While messing with the portmap package, I also changed the initscript, such that bug #99308 is closed. My portmap patch, and other files for the altered portmap package, are here: http://troels.arvin.dk/portmap-rpm-changes/ The portmap patch has been sent to the upstream project manager (Wietse Venema). I've tested the altered portmap package on my laptop, and FAM-dependent applications seem to work well. I suggest that an altered portmap package like the one proposed be included in Fedora Core. If the Fedora Core developers think it's too drastic not to have portmap listening on all interfaces by default, then the default behaviour could be changed (although I don't recommend it). Version-Release number of selected component (if applicable): portmap-4.0-59 How reproducible: Always Steps to Reproduce: There is no way to make the current portmap daemon bind to 127.0.0.1 only. (Checked documentation and code.) Additional info:
It probably does make sense to enable portmapper to only listen on the lookback interface.
I have updated the files at http://troels.arvin.dk/portmap-rpm-changes/ to include an adjusted man page, as well.
This patch is in version -63
The option to make portmap listen on the loopback interface only is now in Fedora Core 3, although the loopback-only isn't the default behaviour (unfortunately). I'm closing this feature request.