RPC

What can I do here?

Use this window to configure RPC general properties.

SunRPC Overview

What Background Information do I need to know...

RPC-based services do not use pre-defined port numbers. An RPC "connection" is structured as follows:

1. The client queries the server (on port 111), asking for the port number associated with the program.
   • If the query is UDP, the Firewall examines the program number, and allows only those programs allowed by the security policy (in the Services column).
   • If the query is TCP, the Firewall drops the query, unless TCP on port 111 is explicitly allowed by the security policy.

     Note - Allowing TCP on port 111 is considered insecure, because the client can then run any available RPC program through this port

2. The server (portmapper) replies with the port number. The Firewall monitors the reply and opens only the specified port for the RPC traffic.
3. The client connects to that port and the RPC "connection" continues.

Example:

Suppose the security policy allows RPC as follows:

• If RPC_Client issues a portmapper query on TCP port 111, the Firewall drops the query packet.
• If RPC_Client issues a portmapper query on UDP port 111, the Firewall allows the query only if the program number is 100003, as specified in the RPC Service Properties window for the nfsprog service. Moreover, the Firewall monitors the reply and then allows the nfsprog service only on the port specified in the reply.
• If RPC_Client does not issue a portmapper query, but proceeds to directly communicate on the nfsprog port (100003, as specified in the RPC Service Properties window for the nfsprog service), the Firewall queries portmapper and allows the connection only if the port number (in the portmapper reply) is also 100003.

RPC

Tell me about the fields...

• Name - should be identical to the server service name (as it appears in the services file), so that the Firewall will be able to retrieve some properties automatically. If NIS is being used, the Firewall will automatically retrieve the information from the NIS.
• Program Number - can be retrieved from the RPC database, if it is a standard service. If the program number is omitted, the Firewall attempts to resolve the program number (based on the service's name) when the policy is installed. If resolution fails, an error message is issued and installation will fail.
• Keep connections open after policy has been installed - keeps all control and data connections open until the connections have ended, even if they are not allowed under the new policy. This overrides the settings in the Connection Persistence page. If you change this property, the change will not affect open connections, but only future connections.