[systemd-devel] Question about a random UDP port on rpcbind 0.2.3 started by systemd

[Bao Nguyen]

Hello evryone,

I would like to ask you a question regarding the new random UDP port in
rpcbind 0.2.3.

In rpcbind 0.2.3, when I start rpcbind (version 0.2.3) through
rpcbind.service, then I do netstat

udp        0      0 0.0.0.0:111             0.0.0.0:*
     10408/rpcbind
udp        0      0 0.0.0.0:831             0.0.0.0:*
     10408/rpcbind
udp6       0      0 :::111                  :::*
    10408/rpcbind
udp6       0      0 :::831                  :::*
    10408/rpcbind

The rpcbind does not only listen on port 111 but also on a random udp port
"831" in this case, this port is changed every time the rpcbind service
retstarts. And it listens on 0.0.0.0 so it opens a hole on security.

I have looked into the change of rpcbind 0.2.3 and found the change "
rpcbind: add support for systemd socket activation", it calls a
function sd_listen_fds, I do not know much about systemd socket activation
programming, does the "831" port is generated from rpcbind to communicate
with systemd socket activation?

Could you please let me know what this port is for and is there any way to
avoid that like force it listen on a internal interface rather than on any
interfaces like that? As the rpcbind is started from systemd so "-h" option
is invalid as the man page says:


   -h      Specify specific IP addresses to bind to for UDP requests.  This
option may be specified multiple times and can be used to restrict the
interfaces rpcbind will respond to.  Note that when rpcbind is controlled
via sys-
             temd's socket activation, the -h option is ignored. In this
case, you need to edit the ListenStream and ListenDgram definitions in
/usr/lib/systemd/system/rpcbind.socket instead.



Thanks a lot,
Brs,
Bao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180126/e348e480/attachment.html>