topic Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node in ONTAP Discussions

9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov — Wed, 04 Jun 2025 12:11:48 GMT

Two node cluster recently installed; it came with 9.5P1 and was later updated to 9.5P6. Starting with 9.4 portmapper (port 111) is normally blocked by mgmt firewall policy. To my surprise I found that on one node port 111 is globally allowed, while on another node it is only allowed on LIFs with data firewall policy:

ff-cdot01% sudo ipfw list | grep 111
00001 allow log ip from any to any dst-port 111 in
00001 allow log ip from any 111 to any out
00105 allow log ip4 from any to 10.197.2.2 dst-port 111 in
00105 allow log ip4 from any 111 10.197.2.2 to any out
ff-cdot01%

ff-cdot02% sudo ipfw list | grep 111
00102 allow log ip4 from any to 10.197.2.5 dst-port 111 in
00102 allow log ip4 from any 111 10.197.2.5 to any out
ff-cdot02%

Could somebody explain how it could happen? How can I "fix" it to match normal default 9.5 behavior?

And more importantly - at this point I am unsure what else can differ between two nodes. Is there any way to verify configuration consistency?

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

TMACMD — Fri, 11 Oct 2019 15:24:52 GMT

What are all the LIFs on each node and what are their polices for each of those LIFs?

You may not be looking at a complete picture

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov — Fri, 11 Oct 2019 15:41:00 GMT

@TMACMD wrote:

You may not be looking at a complete picture

So where should I look? What configuration enables portmapper globally, on any interface? Arguably this is security issue. How to stop it?

On each node there are cluster and node management interfaces and one SVM on each with one LIF with "mgmt" policy and one LIF with "data" policy. Port 111 is explicitly opened for LIF with "data" policy as it should be.

Migrating cluster management interface between nodes does not change anything.

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

TMACMD — Fri, 11 Oct 2019 15:53:05 GMT

I suspect portmapper is tied to a data LIF. Try migrating and re-homing both data LIFs to node 2. Then check. Then move both to node 1 and check.

you may have an nfs LIF on node one

net into int show -fields data -role data

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov — Fri, 11 Oct 2019 16:10:36 GMT

I have NFS LIFs on both nodes and port 111 is explicitly opened for these LIFs as I have shown in my original post.

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

paul_stejskal — Mon, 14 Oct 2019 20:48:18 GMT

Seems odd. We probably need to dig deeper. I'd recommend opening a case.