Red Hat Bugzilla – Bug 78723
Protecting portmap With iptables
Last modified: 2007-04-18 12:48:45 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021127
Description of problem:
Chapter 5. Server Security
Could You add note that when protecting portmap with iptables it might be
important to allow connections to localhost:sunrpc.
Why? Because by dropping packets on 127.0.0.1:111 prevents fam to work
correctly. Fam might not be the only component that depends from sunrpc.
I will look iinto this and update the server chapter for the next revision.
Thank you so much for catching this.
Below are two example iptables commands that
allow TCP connections to the portmap service (listening on
port 111) from the 192.168.0/24 network and from the localhost (which
is necessary for the sgi_fam service used by
Nautilus). All other packets are dropped.
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT
Thanks for catching that.