How do I get portmap to not listen on external interfaces?

[Infohawk]

I don't want sunrpc / portmap listening on eth1. I need it for FAM and Gnome.

Someone told me to:

for /etc/hosts.deny, you should have
ALL: ALL
portmap: ALL

and in /etc/hosts.allow
portmap: 127.0.0.1

This solution, upon reboot, prevented me from connecting to my network (via the external interface) and caused problems with a daemon that contacts 127.0.0.1.

Anyone know how to do this? Or what was wrong with my implementation of that guys' advice?

I'm not interested in firewall solutions.

(PS anyone know how to restart sunprc / portmap without rebooting? Using the debian initscripts didn't seem to work. I had to restart).

I'm using debian unstable. Let me know if you need other info.

 

[n0cmonkey]

What you did only allowed portmap on lo, not eth1. You could try a ALL:127.0.0.1 to solve the lo problem.

To restart portmap, you should just need to hup inetd.

 

[Infohawk]

Originally posted by: n0cmonkey
What you did only allowed portmap on lo, not eth1. You could try a ALL:127.0.0.1 to solve the lo problem.

To restart portmap, you should just need to hup inetd.

So you think I should enter:

for /etc/hosts.deny, you should have
ALL: 127.0.0.1
portmap: ALL

and in /etc/hosts.allow
portmap: 127.0.0.1

Also, I'm not using inetd (because nothing else I need uses it) and the debian docs say not to use it if that's the case. Does that change anything?

 

[n0cmonkey]

No, what I think you should try is:

/etc/hosts.deny:
ALL:ALL

/etc/hosts.allow
ALL:127.0.0.1
portmap:eth1

Replace eth1 with the address for eth1.

And if you aren't using inetd, try a hup.

 

[Infohawk]

What if I get the address for eth1 through dhcp and it changes all the time? :/

 

[n0cmonkey]

Originally posted by: Infohawk
What if I get the address for eth1 through dhcp and it changes all the time? :/

Good question.

Why put portmap (AN EXTREMELY FRAGILE DAEMON WITH A BAD HISTORY) on the outside?

 

[Infohawk]

What do you mean put portmap on the outside? :/ On the outside interface? That's what I'm trying to fix. Right now it's listening on 111 on eth1 (the outside interface). I just want it to listen on 127.0.0.1 which I assume will make FAM and thus gnome happy. But maybe I misunderstood the question.

Basically I have localhost, eth0 and eth1. eth0 is basically a broken network card with nothing attached. eth1 is the external interface via pcmcia. If that doens't make sense I can provide more information.

 

[n0cmonkey]

Oops, misread the first post.

/etc/hosts.deny:

ALL:ALL

/etc/hosts.allow:

ALL:127.0.0.1
portmap:127.0.0.1

But check /etc/services for portmap. If it isn't in there, you might need something else instead (rpc?).

 

[Infohawk]

okay, I made those changes to the files. I see pormap in services (in comments of sunrpc line).

About "hup", do you mean nohup? I have no command named hup. :/

or is that a signal? kill -1 [portmapper pid]?

 

[n0cmonkey]

Originally posted by: Infohawk
okay, I made those changes to the files. I see pormap in services (in comments of sunrpc line).

About "hup", do you mean nohup? I have no command named hup. :/

or is that a signal? kill -1 [portmapper pid]?

kill -HUP pid

Might be a 1, not sure. Never looked it up.

netstat -a | grep portmap might show you if portmap is running. Or it might just be hiding behind 111/rpc.

 

[Infohawk]

Thanks! That seems to have done it!

:beer:

 

[n0cmonkey]

These threads go easier when everyone reads the original post correctly.