ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Start a New Post

9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov
‎2019-10-11 05:31 AM

Two node cluster recently installed; it came with 9.5P1 and was later updated to 9.5P6. Starting with 9.4 portmapper (port 111) is normally blocked by mgmt firewall policy. To my surprise I found that on one node port 111 is globally allowed, while on another node it is only allowed on LIFs with data firewall policy:

ff-cdot01% sudo ipfw list | grep 111
00001 allow log ip from any to any dst-port 111 in
00001 allow log ip from any 111 to any out
00105 allow log ip4 from any to 10.197.2.2 dst-port 111 in
00105 allow log ip4 from any 111 10.197.2.2 to any out
ff-cdot01%

ff-cdot02% sudo ipfw list | grep 111
00102 allow log ip4 from any to 10.197.2.5 dst-port 111 in
00102 allow log ip4 from any 111 10.197.2.5 to any out
ff-cdot02%

Could somebody explain how it could happen? How can I "fix" it to match normal default 9.5 behavior?

 

And more importantly - at this point I am unsure what else can differ between two nodes. Is there any way to verify configuration consistency?

0 Kudos
5 Replies
Reply
5 REPLIES 5

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

TMAC_CTG
NetApp A-Team
‎2019-10-11 08:24 AM

What are all the LIFs on each node and what are their polices for each of those LIFs?

 

 You may not be looking at a complete picture

0 Kudos
5 Replies
Reply

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov
‎2019-10-11 08:41 AM
@TMAC_CTG wrote:

 You may not be looking at a complete picture

So where should I look? What configuration enables portmapper globally, on any interface? Arguably this is security issue. How to stop it?

 

On each node there are cluster and node management interfaces and one SVM on each with one LIF with "mgmt" policy and one LIF with "data" policy. Port 111 is explicitly opened for LIF with "data" policy as it should be.

 

Migrating cluster management interface between nodes does not change anything.

0 Kudos
5 Replies
Reply

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

TMAC_CTG
NetApp A-Team
‎2019-10-11 08:53 AM

I suspect portmapper is tied to a data LIF. Try migrating and re-homing  both data LIFs to node 2. Then check. Then move both to node 1 and check. 

you may have an nfs LIF on node one

 

 net into int show -fields data -role data

0 Kudos
5 Replies
Reply

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov
‎2019-10-11 09:10 AM

I have NFS LIFs on both nodes and port 111 is explicitly opened for these LIFs as I have shown in my original post.

0 Kudos
5 Replies
Reply

Re: 9.5P6: portmapper is allowed globally on one node but blocked on another node

paul_stejskal
NetApp
‎2019-10-14 01:48 PM

Seems odd. We probably need to dig deeper. I'd recommend opening a case.

View solution in original post

0 Kudos
5 Replies
Reply
Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public