RPCPORT(4)RPCPORT(4)NAMErpcports - RPC port restriction data base
SYNOPSIS
/etc/rpcports
DESCRIPTION
The rpcports file contains rules that can be used by the system
administrator to restrict the ranges of TCP and UDP ports used by RPC
services. This can be useful for:
o using the narrowest possible firewall rules to pass specific RPC
services, or
o preventing RPC services registered with inetd from binding to
specific ports needed by non-RPC servers which start after inetd, or
o forcing specific RPC services to run on privileged ports.
The file comprises a sequence of rules, each contained on a single line
with fields separated by any number of space or tab characters. Empty
lines and lines beginning with a ``#'' character are ignored. Each rule
has the following fields:
program RPC program number (see rpc(4)), or the capitalized keyword
ANY.
transport Transport name, one of udp, udp4, upd46, udp6, tcp, tcp4, tcp46
or tcp6. Note that for historical reasons tcp is the synonym
for tcp46 and udp for udp46.
port Port, or port range expressed as a pair of ports separated only
by a ``-'' character, without any space or tab characters. A
port is specified numerically.
access Whether the port or port range is available, either allow or
deny.
An application wishing to use the file calls the sgi_bindrpcport function
(see sgi_bindrpcport(3)) while creating an RPC service. The function
reads the entire file and matches all the rules against the service in
the order they appear in the file. A rule matches if both the program
field matches the RPC program number of the service and the transport
field matches the transport protocol of the service. A rule with a
program field of ANY matches all program numbers (the transport field
must still match exactly).
If a rule matches, the port or port range specified in the rule is added
to the list of allowable ports (if the access field is allow) or removed
from the list of allowable ports (if the access field is deny). These
effects are cumulative and are applied in the order seen in the file.
For example, a later allow will override an earlier deny. Note that
Page 1
RPCPORT(4)RPCPORT(4)
initially all ports are denied.
Once a list of allowed ports has been constructed, the function will
attempt to bind the service socket to ports in the list. The order in
which ports are tried is not defined, except that all reserved ports in
the list will be tried before any non-reserved ports.
Ports can fail to be bound because the file is missing or corrupted, or
no rules match the service, or applying the rules leaves no allowed
ports, or all the ports specified are already bound to sockets.
If no port could be bound the function returns an error to the
application, which then takes suitable action. Most applications will
fall back to binding to any reserved port (if the process has sufficient
privilege) then finally to binding to any non-reserved port.
The file is not shipped in IRIX and is expected to be created by system
administrators as a local customisation. See EXAMPLES below.
CAVEATS
The rpcports database can only be read from the file /etc/rpcports on the
local system, and cannot be read through the Unified Name Service
architecture (see uns(4)).
Some RPC services use fixed ports for various reasons and cannot be
changed using the /etc/rpcports file. The portmap and rpcbind services
use port 111 to allow clients to rendezvous easily. RPC services
provided by the kernel always appear on port 2049. The autofsd daemon
always appears on port 2048 because of a kernel limitation.
Because use of the /etc/rpcports file requires application code to be
changed, not all the RPC services on an IRIX system may respond to
changes in the file.
EXAMPLES
The following is an example of using the /etc/rpcports file to force the
mountd service to use a reserved port. Note the use of a small range of
ports rather than a single fixed port, which provides some robustness if
other servers are also using that port, or if inetd is restarted while
mountd is still running.
# Example /etc/rpcports
# program transport port access
#
# force mountd services to range 950-952
100005 udp 950-952 allow
100005 tcp 950-952 allow
# force sgi_mountd services to range 953-955
391004 udp 953-955 allow
391004 tcp 953-955 allow
Page 2
RPCPORT(4)RPCPORT(4)
This example restricts all RPC services to a pair of port ranges, one
reserved and one non-reserved. Note that all RPC services started from
inetd will use the reserved port range because inetd itself is
privileged.
# Example /etc/rpcports
# program transport port access
#
# reserved port range for all services
ANY udp 900-999 allow
ANY tcp 900-999 allow
# non-reserved port range for all services
ANY udp 2000-2999 allow
ANY tcp 2000-2999 allow
FILES
/etc/rpcports
SEE ALSOrpc(4), sgi_bindrpcport(3R).
ORIGIN
The /etc/rpcports file is specific to IRIX and first appeared in IRIX
6.5.20. Support for transport specific procotols, such as udp6 or tcp4,
was added in IRIX 6.5.29.
Page 3
