Simpler Navigation coming for Servers and Operating Systems
Coming soon: a much simpler Servers and Operating Systems section of the Community. We will combine many of the older boards, and you won't have to click through so many levels to get at the information you need. If you are looking for an older board and do not find it, check the consolidated boards, as the posts are still there.
Security
cancel
Showing results for 
Search instead for 
Did you mean: 

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

arunaphcl
Advisor

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

3 REPLIES
arunaphcl
Advisor

Re: How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

Please assist me experts on this..

Dennis Handly
Acclaimed Contributor

Re: How to secure rpc and nlockmgr RPC Service for HP-UX NFS sharing?

Are you looking for which ports to unblock in your firewall?

Matti_Kurkela
Honored Contributor

Re: How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

First, you'll need to configure fixed port numbers for the NFS-related services. You should do this on both on your NFS server and on all your NFS clients.

Depending on your HP-UX version, you may need to ensure that you have a specific patch installed:

11.31 - no patch required
11.23 - PHNE_34550 or superseding patch
11.11 - PHNE_34662 or superseding patch

 

Then you can add some lines to /etc/rc.config.d/nfsconf to specify fixed port numbers for the NFS-related services.

For example, these lines would fix lockd (nlockmgr) to port 4045, rpc.statd (status) to 4046 and rpc.mountd (mountd) to 4047:

STATD_PORT=4046
MOUNTD_PORT=4047

# in 11.31, lockd is always fixed to UDP port 4045 so this is not needed
LOCKD_PORT=4045 

 

After doing this and restarting your NFS services, they should be in fixed ports. Use "rpcinfo -p" to verify.

 

Once the services are bound to fixed ports, you can use external firewalls or the optional HP-UX IPFilter to restrict the connections to these ports to between your NFS server and legitimate NFS clients only. You'll also need to allow the portmapper/rpcinfo service (port 111, both TCP and UDP), since it is used to find the other NFS-related services (because the client will not know that you've specified fixed port numbers on the server, and vice versa).

MK