06-08-2010 05:02 PM - edited 03-11-2019 10:56 AM
I would like to understand what configuration pieces need to be in place for SunRPC inspection to work properly. I have the following scenario: NFS server is on higher security interface, and NFS clients are on lower security interface. I have default sunrpc inspection enabled on UDP port 111. Also, I added TCP port 111 inspection because I saw from capture information that SUSE system were using TCP instead of UDP for port mapper process.
class-map SUNRPC-TCP
match port tcp eq sunrpc
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect sunrpc
class SUNRPC-TCP
inspect sunrpc
!
service-policy global_policy global
Clinets that use UDP are can mount file shares, but SUSE systems, which use TCP can not until I added the following command.
sunrpc-server High_Interface 10.1.1.1 255.255.255.255 service 100005 protocol TCP port 111 timeout 0:01:00
Inspecting global service policy counters confims that SUNRPC-TCP class-map does not register any hit counts.
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: sunrpc, packet 208, drop 0, reset-drop 0
Class-map: SUNRPC-TCP
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
rpcinfo command on NFS server produces the following output (I removed irrelevant program numbers for this discussions):
nbmaster ## rpcinfo -p
program vers proto port service
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100005 3 tcp 1234 mountd
100005 2 tcp 1234 mountd
100005 1 tcp 1234 mountd
100005 3 udp 1234 mountd
100005 2 udp 1234 mountd
100005 1 udp 1234 mountd
100000 2 udp 111 rpcbind
100000 2 tcp 111 rpcbind
I would appreciate if someone who really understands how sunrpc inspection works explains to me the follwoing questions:
1) What is exactly the purpose of sunrpc-server commands, and how are they different from service policy inspect commands?
2) Why my "SUNRPC-TCP" class-map does not seem to work, but "sunrpc-server" command seems to do the trick for systems that use TCP for port mapper process?
Thank you in advance,
03-07-2012 05:56 AM
Hi there, this is kind of a bump since I'm also looking at an issue with SUNRPC, which doesn't work under inspection but we have to use 1-1 NAT so suspect there's no way around this unfortunately.
Was hoping if someone who might be able to answer frame6500's questions might also be able to advise if this will ever work, and if not - why not?
I can provide specific info if required to my issue however the basic config is that two sets of servers communicate using SUNRPC and the return traffic is denied, however all we've done for configuration is to allow in the default inspection traffic SUNRPC inspection. NAT is configured also.
Thanks,
Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide