ONTAP Discussions

9.5P6: portmapper is allowed globally on one node but blocked on another node

aborzenkov

Two node cluster recently installed; it came with 9.5P1 and was later updated to 9.5P6. Starting with 9.4 portmapper (port 111) is normally blocked by mgmt firewall policy. To my surprise I found that on one node port 111 is globally allowed, while on another node it is only allowed on LIFs with data firewall policy:

ff-cdot01% sudo ipfw list | grep 111
00001 allow log ip from any to any dst-port 111 in
00001 allow log ip from any 111 to any out
00105 allow log ip4 from any to 10.197.2.2 dst-port 111 in
00105 allow log ip4 from any 111 10.197.2.2 to any out
ff-cdot01%

ff-cdot02% sudo ipfw list | grep 111
00102 allow log ip4 from any to 10.197.2.5 dst-port 111 in
00102 allow log ip4 from any 111 10.197.2.5 to any out
ff-cdot02%

Could somebody explain how it could happen? How can I "fix" it to match normal default 9.5 behavior?

 

And more importantly - at this point I am unsure what else can differ between two nodes. Is there any way to verify configuration consistency?

1 ACCEPTED SOLUTION

paul_stejskal

Seems odd. We probably need to dig deeper. I'd recommend opening a case.

View solution in original post

5 REPLIES 5

TMAC_CTG

What are all the LIFs on each node and what are their polices for each of those LIFs?

 

 You may not be looking at a complete picture

aborzenkov

@TMAC_CTG wrote:

 You may not be looking at a complete picture


So where should I look? What configuration enables portmapper globally, on any interface? Arguably this is security issue. How to stop it?

 

On each node there are cluster and node management interfaces and one SVM on each with one LIF with "mgmt" policy and one LIF with "data" policy. Port 111 is explicitly opened for LIF with "data" policy as it should be.

 

Migrating cluster management interface between nodes does not change anything.

TMAC_CTG

I suspect portmapper is tied to a data LIF. Try migrating and re-homing  both data LIFs to node 2. Then check. Then move both to node 1 and check. 

you may have an nfs LIF on node one

 

 net into int show -fields data -role data

aborzenkov

I have NFS LIFs on both nodes and port 111 is explicitly opened for these LIFs as I have shown in my original post.

paul_stejskal

Seems odd. We probably need to dig deeper. I'd recommend opening a case.

View solution in original post

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public