ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov
‎2019-10-11 05:31 AM
1,933 Views

Two node cluster recently installed; it came with 9.5P1 and was later updated to 9.5P6. Starting with 9.4 portmapper (port 111) is normally blocked by mgmt firewall policy. To my surprise I found that on one node port 111 is globally allowed, while on another node it is only allowed on LIFs with data firewall policy:

ff-cdot01% sudo ipfw list | grep 111
00001 allow log ip from any to any dst-port 111 in
00001 allow log ip from any 111 to any out
00105 allow log ip4 from any to 10.197.2.2 dst-port 111 in
00105 allow log ip4 from any 111 10.197.2.2 to any out
ff-cdot01%

ff-cdot02% sudo ipfw list | grep 111
00102 allow log ip4 from any to 10.197.2.5 dst-port 111 in
00102 allow log ip4 from any 111 10.197.2.5 to any out
ff-cdot02%

Could somebody explain how it could happen? How can I "fix" it to match normal default 9.5 behavior?

 

And more importantly - at this point I am unsure what else can differ between two nodes. Is there any way to verify configuration consistency?

0 Kudos
1 ACCEPTED SOLUTION

paul_stejskal
NetApp
‎2019-10-14 01:48 PM
In response to aborzenkov
1,706 Views

Seems odd. We probably need to dig deeper. I'd recommend opening a case.

View solution in original post

0 Kudos
5 REPLIES 5

TMACMD
NetApp A-Team
‎2019-10-11 08:24 AM
1,898 Views

What are all the LIFs on each node and what are their polices for each of those LIFs?

 

 You may not be looking at a complete picture

0 Kudos

aborzenkov
‎2019-10-11 08:41 AM
In response to TMACMD
1,892 Views
@TMACMD wrote:

 You may not be looking at a complete picture

So where should I look? What configuration enables portmapper globally, on any interface? Arguably this is security issue. How to stop it?

 

On each node there are cluster and node management interfaces and one SVM on each with one LIF with "mgmt" policy and one LIF with "data" policy. Port 111 is explicitly opened for LIF with "data" policy as it should be.

 

Migrating cluster management interface between nodes does not change anything.

0 Kudos

TMACMD
NetApp A-Team
‎2019-10-11 08:53 AM
In response to aborzenkov
1,889 Views

I suspect portmapper is tied to a data LIF. Try migrating and re-homing  both data LIFs to node 2. Then check. Then move both to node 1 and check. 

you may have an nfs LIF on node one

 

 net into int show -fields data -role data

0 Kudos

aborzenkov
‎2019-10-11 09:10 AM
In response to TMACMD
1,867 Views

I have NFS LIFs on both nodes and port 111 is explicitly opened for these LIFs as I have shown in my original post.

0 Kudos

paul_stejskal
NetApp
‎2019-10-14 01:48 PM
In response to aborzenkov
1,707 Views

Seems odd. We probably need to dig deeper. I'd recommend opening a case.

0 Kudos
All Community Forums
Public