While perusing some of the new features in Solaris 10, I saw that rpcbind is now tcp_wrappers aware. This allows you to limit which services can send RPC requests to a server, and can be used to deny all RPC requests except those originating from the host itself. To enable tcp_wrappers and limit inbound requests to the loopback interface, the svccfg(1m) utility can be run to enter the SMF configuration console:
$ svccfg
Once in the SMF configuration console, you need to select the rpc/bind service with the ‘select’ command:
svc:>select network/rpc/bind
Once the service is selected, you can view the service properties using the ‘listprop’ command:
svc:/network/rpc/bind> listprop
config application
config/allow_indirect boolean true
config/verbose_logging boolean true
config/enable_tcpwrappers boolean true
fs dependency
fs/entities fmri svc:/system/filesystem/minimal
fs/grouping astring require_all
fs/restart_on astring none
fs/type astring service
identity dependency
identity/entities fmri svc:/system/identity:node
identity/grouping astring require_all
identity/restart_on astring refresh
identity/type astring service
sysidtool dependency
sysidtool/entities fmri svc:/system/sysidtool:net
sysidtool/grouping astring require_all
sysidtool/restart_on astring none
sysidtool/type astring service
routing dependency
routing/entities fmri svc:/network/initial:default
routing/grouping astring optional_all
routing/restart_on astring none
routing/type astring service
general framework
general/entity_stability astring Unstable
general/single_instance boolean true
start method
start/exec astring "/lib/svc/method/rpc-bind %m"
start/group astring root
start/limit_privileges astring :default
start/privileges astring basic,file_chown,file_chown_self,file_owner,net_privaddr,proc_setid,sys_nfs
start/project astring :default
start/resource_pool astring :default
start/supp_groups astring :default
start/timeout_seconds count 60
start/type astring method
start/use_profile boolean false
start/user astring root
start/working_directory astring :default
stop method
stop/exec astring "/lib/svc/method/rpc-bind %m %{restarter/contract}"
stop/group astring root
stop/limit_privileges astring :default
stop/privileges astring basic,proc_owner
stop/project astring :default
stop/resource_pool astring :default
stop/supp_groups astring :default
stop/timeout_seconds count 60
stop/type astring method
stop/use_profile boolean false
stop/user astring root
stop/working_directory astring :default
tm_common_name template
tm_common_name/C ustring "RPC bindings"
tm_man_rpcbind template
tm_man_rpcbind/manpath astring /usr/share/man
tm_man_rpcbind/section astring 1M
tm_man_rpcbind/title astring rpcbind
Once the properties have been reviewed, you can enable tcp_wrappers by setting the ‘config/enable_tcpwrappers’ attribute to ‘true’:
svc:/network/rpc/bind> **setprop config/enable_tcpwrappers=true**
To exit the SMF configuration console, the ‘end’ keyword can be used:
svc:/network/rpc/bind> end
After the SMF service has been configured, the tcp_wrappers hosts.deny and hosts.allow files need to be updated to limit RPC requests to the loopback interface:
$ cat /etc/hosts.deny
ALL: ALL
$ cat /etc/hosts.allow
rpcbind: 127.0.0.1
Once these files are created, you can start using a tcp_wrapped rpcbind by restarting the rpc/bind process with the svcadm utility:
$ svcadm restart rpc/bind
After the rpcbind process has been restarted, each non-local connection to TCP port 111 will be RST:
$ telnet tigger 1111
Trying 192.168.1.3…
telnet: connect to address 192.168.1.3: Connection refused
I digs me some tcp_wrapper!