[SOLVED] NIS Random port failure on firewall for Unix

james000 · 03-18-2020, 08:00 PM

Hi,

There was a firewall change in our company. That went smooth except one part. Firewall team said that, they are seeing some failure on some randon ports. Few days back also they found 2 ports and they allowed it. Today again they see two new ports. So it looks like those ports are random.
Here is the denial message, in firewall terms :

Code:

USER-6-RT_FLOW_SESSION_DENY: session denied 192.168.75.246/896->192.168.70.133/55622 0x0 None 17(0) 9999999(global) core emer-app
USER-6-RT_FLOW_SESSION_DENY: session denied 192.168.75.247/896->192.168.70.134/44283 0x0 None 17(0) 9999999(global) core emer-app

192.168.75.246 and 192.168.75.247 are a UNIX client
192.168.70.133 and 192.168.70.134 are NIS server.
When I login to both NIS server and tried to find these ports, these are ypbind

Code:

nis-serv3 # /usr/local/bin/lsof -i:55622
nis-serv3 # /usr/local/bin/lsof -i:44283
COMMAND PID USER   FD   TYPE        DEVICE SIZE/OFF NODE NAME
ypbind  597 root    4u  IPv4 0x30125a010d8      0t0  UDP *:44283 (Idle)
nis-serv3 # ps -ef | grep 597
    root   597     1  0   Jul 01 ?       28:42 /usr/lib/netsvc/yp/ypbind
nis-serv3 #
-------------------
nis-serv4 # /usr/local/bin/lsof -i:55622
COMMAND  PID USER   FD   TYPE        DEVICE SIZE/OFF NODE NAME
ypbind  5805 root    4u  IPv4 0x30001c93838      0t0  UDP *:55622 (Idle)
nis-serv4 # /usr/local/bin/lsof -i:44283
nis-serv4 # ps -ef | grep 5805
    root 25331 20193  0 17:45:48 pts/1    0:00 grep 5805
    root  5805     1  0   Jul 01 ?       24:11 /usr/lib/netsvc/yp/ypbind
nis-serv4 #

Now the concern is, why these are random ports? Everytime, I reboot NIS server or there is a change, NIS queries will be denied and firewall team needs to be involved. Is there any range of ports or known ports, which should be know to us and should be already added on firewall?

Please suggest.
--------------------------------
Update: I learned that these random ports are ephemeral ports, which can keep changing when service restarts and they are firewalled. If that is the case, they will need to be un-firewalled or the problem will persist.
Will it not be security risk to have them open, or it should be applied on the firewall in a different way?

Thanks

berndbausch · 03-19-2020, 12:04 AM

This is the default behaviour for some older RPC-based software. The NIS port is essentially random (I knew that from NFS pre-version-4, now I just learned that NIS is like that as well).

It seems you can fix the port on the server though. For example as explained on this random page I found: http://diehn.net/blog/2017/06/lettin...nux-firewalls/.

Another option is a smart firewall that observes RPC traffic, catches the ports that are set up and opens those. But that is obviously out of your control.

james000 · 03-19-2020, 12:34 AM

There are multiple servers, where this is failing and firewall team needs to allow on those ports. So checking/changing something on each server end is difficult.
We have our own firewall team. But of course, I will need to explain more to convince them to open ephemeral ports and I am not sure, from the security point of view, is it wise to suggest them to keep ephemeral ports open?

berndbausch · 03-19-2020, 01:24 AM

Quote:

Originally Posted by james000

There are multiple servers, where this is failing and firewall team needs to allow on those ports. So checking/changing something on each server end is difficult.
We have our own firewall team. But of course, I will need to explain more to convince them to open ephemeral ports and I am not sure, from the security point of view, is it wise to suggest them to keep ephemeral ports open?

The problem is that by default the NIS ports are not deterministic. After a reboot, or restart of NIS or the portmapper or another related component, you end up with different port and have to beg the firewall team again.

I would just configure the same non-ephemeral ports for ypbind, as shown on the referenced web page. Do it once and the firewall problem is solved now and in the future.

james000 · 03-19-2020, 02:21 AM

Thanks for explaining.
This would help, but also now I am thinking in a wider picture.
We have 1 master+3 slave NIS servers on RHEL 7. In another environment, we have 1 master+3 slave on Solaris 10, and the same setup on Solaris 9 as well.
The suggestion you are pointing out should be implemented in all environments to overcome this problem permanently.

If I am able to read your link properly, in Linux, I should be able to write below entries in /etc/sysconfig/network and that would take care of this issue

Quote:

YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"

I hope, I am following you correctly.

But in my Solaris environment, I don't see any such option to set these ports. I tried searching for some old threads if I can get some ideas for Solaris. I found one ( https://www.linuxquestions.org/quest...5432309-print/ ) and it looks like, there is no such option for Solaris.

berndbausch · 03-19-2020, 06:13 AM

Quote:

Originally Posted by james000

I hope, I am following you correctly.

To be precise, you are following instructions that I found on the internet and that looked good to me. I may know less than you about NIS.

Quote:

it looks like, there is no such option for Solaris.

Bummer. NIS is obviously not made for modern environments.

The question is then, how did the old firewall deal with this? I guess it was able to learn about those ephemeral ports. Or was the change that you allude to not a change of technology, but one of policy? In this case, the policymakers should have checked the consequences first.