[systemd-devel] Question about a random UDP port on rpcbind 0.2.3 started by systemd

Jérémy Rosen jeremy.rosen at smile.fr
Fri Jan 26 08:35:41 UTC 2018 

if you have the mentionned file (/usr/lib/systemd/system/rpcbind.socket) 
then systemd will open whatever port is described in there and pass it 
pre-opened to rpcbind.

systemd has no idea what that port is for and the file mentionned above 
was provided to systemd by the rpcbind package. You should really ask 
the rpcbind people what it is for, systemd is just the messenger here...

On 26/01/2018 03:48, Bao Nguyen wrote:
> Hello evryone,
>
> I would like to ask you a question regarding the new random UDP port in
> rpcbind 0.2.3.
>
> In rpcbind 0.2.3, when I start rpcbind (version 0.2.3) through
> rpcbind.service, then I do netstat
>
> udp        0      0 0.0.0.0:111             0.0.0.0:*
>       10408/rpcbind
> udp        0      0 0.0.0.0:831             0.0.0.0:*
>       10408/rpcbind
> udp6       0      0 :::111                  :::*
>      10408/rpcbind
> udp6       0      0 :::831                  :::*
>      10408/rpcbind
>
> The rpcbind does not only listen on port 111 but also on a random udp port
> "831" in this case, this port is changed every time the rpcbind service
> retstarts. And it listens on 0.0.0.0 so it opens a hole on security.
>
> I have looked into the change of rpcbind 0.2.3 and found the change "
> rpcbind: add support for systemd socket activation", it calls a
> function sd_listen_fds, I do not know much about systemd socket activation
> programming, does the "831" port is generated from rpcbind to communicate
> with systemd socket activation?
>
> Could you please let me know what this port is for and is there any way to
> avoid that like force it listen on a internal interface rather than on any
> interfaces like that? As the rpcbind is started from systemd so "-h" option
> is invalid as the man page says:
>
>
>     -h      Specify specific IP addresses to bind to for UDP requests.  This
> option may be specified multiple times and can be used to restrict the
> interfaces rpcbind will respond to.  Note that when rpcbind is controlled
> via sys-
>               temd's socket activation, the -h option is ignored. In this
> case, you need to edit the ListenStream and ListenDgram definitions in
> /usr/lib/systemd/system/rpcbind.socket instead.
>
>
>
> Thanks a lot,
> Brs,
> Bao
>
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- 
SMILE <http://www.smile.eu/>

20 rue des Jardins
92600 Asnières-sur-Seine

	
*Jérémy ROSEN*
Architecte technique
Responsable de l'expertise Smile-ECS

email jeremy.rosen at smile.fr <mailto:jeremy.rosen at smile.fr>
phone +33141402967
url http://www.smile.eu

Twitter <https://twitter.com/GroupeSmile> Facebook 
<https://www.facebook.com/smileopensource> LinkedIn 
<https://www.linkedin.com/company/smile> Github 
<https://github.com/Smile-SA>


Découvrez l’univers Smile, rendez-vous sur smile.eu 
<http://smile.eu/?utm_source=signature&utm_medium=email&utm_campaign=signature>

eco Pour la planète, n'imprimez ce mail que si c'est nécessaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180126/81b7f990/attachment-0001.html>

More information about the systemd-devel mailing list