Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maik
Advisor

Firewall drops portmapper traffic (udp111)

Hello guys,

Last week I opened a thread in order to verify that my assumption regarding RPC traffic and the related firewall configuration is/was correct. Now I tried to implement the related rule(s) and saw, that the portmapper traffic is getting dropped via the cleanup rule. I am trying to achieve a NFS communication between a client and an AIX (Oracle/Sun) machine. The related document that explains the general procedure and required rules does not help me in this case.

The Security Gateway runs Gaia R76.50, the management server runs R80.10.

I tried the following things:

1.

Client ==> Server  ~ via Service "nfsprog" (predefined with program number 100003)

2.

Client ==> Server  ~ via Service "nfsprog"

Server ==> Client ~ via Service "nfsprog"

3.

Client ==> Server  ~ via Service ALL_DCE_RPC (predefined with the interface UUID of "any"... 00000000-000 etc.)

Server ==> Client ~ via Service ALL_DCE_RPC

In each case the only thing I can see are drops for UDP 111. Related to several documentations you should not allow the port mapper port on its own (not specifiy UDP 111 in the related rules within the service column). Only without manually specifying the port the Security Gateway is able to dynamically allow the port mapper traffic related to the specified RPC services - that's why I did not specify it within the services for the related rules.

Now my question is - why do I see drops for the port mapper port?

Do I need to tell the firewall which port mapper port is being used - how can I do that?

Are there any SKs or other documentations that I am missing?

Thank you very much in advance for any advice regarding this issue.

3 Replies
PhoneBoy
Admin
Admin

Pretty sure your rule must include the relevant portmapper service (either MS-RPC or Unix-RPC) in addition to the relevant RPC service.

This is needed to allow the firewall to “see” the portmapper traffic to act on it.

Carsten_R
Contributor

I have a similar issue with an R80.10 gateway running with take 121.

The rule allows the pre-definied NFS service group and tcp_111 (the server 10.214.1.100 uses NFSv2 with tcp).

Packet 6 tells the high port, but that will be dropped

You'l  see on the 6th packet, that the high port 40177 should be used for further communication, but the firewall will drop that port.

Have you any idea?

I'm not sure if a newer Jumbo will fix that (there is a fix for DCE-RPC, (PMTR-14596, PMTR-10574).

0 Kudos
PhoneBoy
Admin
Admin

Probably best to check with the TAC.

How To Open a Case with TAC and/or Account Services

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events