HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

101

102

103

104

105

106

107

108

109

110

12 HP-UX IPFilter and NFS and RPC

This chapter describes the use of NFS and RPC with IPFilter. It contains the following sections:

• “Introduction” (page 103)

• “Configuring NFS to Use Fixed Ports” (page 103)

• “Using the rpc.ipfboot Script to Update IPFilter Rules” (page 104)

Introduction

The NFS service uses multiple daemons. The NFS daemon, nfsd, listens for requests on the

static (fixed) TCP and UDP port number 2049. By default, the auxiliary daemons used for the

NFS services—rpc.lockd (lockd), rpc.mountd (mountd), and rpc.statd (statd)—listen

for service requests on dynamic port numbers. These daemons use the Remote Procedure Call

(RPC) protocol and register their port numbers with the port mapper daemon (rpc.portmap,

or portmap) which uses the static port number 111. Clients send requests to the portmap daemon

to get the dynamic port number of the service they want to access.

There are two methods to use IPFilter to process packets for the NFS auxiliary daemons:

1. Configure NFS to use static port numbers for the auxiliary daemons. You can then create

IPFilter rules for these port numbers. See “Configuring NFS to Use Fixed Ports” (page 103).

2. Use the script /etc/opt/ipf/rpc.ipf to query the portmap daemon and update IPFilter

rules with the dynamic port numbers. You can use this procedure for any service that uses

the RPC portmap mechanism. See “Using the rpc.ipfboot Script to Update IPFilter Rules”

(page 104).

Configuring NFS to Use Fixed Ports

You can configure NFS to use static port numbers for the lockd, mountd, and statd daemons

on the following systems:

• HP-UX 11.31 systems

• HP-UX 11.23 systems with the NFS patch PHNE_34550 or a patch that supersedes it

• HP-UX 11.11 systems with the NFS patch PHNE_34662 or a patch that supersedes it

On HP-UX 11.31 systems, the lockd daemon uses the static UDP port 4045 by default.

Use the following procedure to configure the fixed port numbers for the auxiliary NFS daemons:

1. Add the following entries to the end of the /etc/rc.config.d/nfsconf file:

STATD_PORT=port_number

MOUNTD_PORT=port_number

where port_number is the number of the port you want the daemon to use. This must be

a port that is not already in use. HP recommends that you use a number between 49152 and

65536, the range reserved for dynamic or private ports by the IANA.

On HP-UX 11.11 and HP-UX 11.23 systems, you must also add the following entry for lockd:

LOCKD_PORT=port_number

HP recommends that you use the value 4045 for the lockd daemon port to match the port

number used by the HP-UX 11.31 version of the lockd daemon.

2. Stop and restart the NFS client and server services in a manner consistent with your operating

procedures. For example, you can stop the NFS services by running the NFS control scripts

with the following commands:

# /sbin/init.d nfs.client stop

# /sbin/init.d nfs.server stop

You can also restart the NFS services with the following commands:

Introduction 103