RPC
What can I do here?
Use this window to configure RPC general properties.
|
Getting Here - Object Explorer > New > Service > RPC
|
SunRPC Overview
What Background Information do I need to know...
RPC-based services do not use pre-defined port numbers. An RPC "connection" is structured as follows:
- The client queries the server (on port 111), asking for the port number associated with the program.
- The server (portmapper) replies with the port number. The Firewall monitors the reply and opens only the specified port for the RPC traffic.
- The client connects to that port and the RPC "connection" continues.
Example:
Suppose the security policy allows RPC as follows:
Source
|
Destination
|
Service
|
Action
|
RPC_Client
|
RPC_Server
|
nfsprog
|
Accept
|
- If RPC_Client issues a portmapper query on TCP port 111, the Firewall drops the query packet.
- If RPC_Client issues a portmapper query on UDP port 111, the Firewall allows the query only if the program number is 100003, as specified in the RPC Service Properties window for the nfsprog service. Moreover, the Firewall monitors the reply and then allows the nfsprog service only on the port specified in the reply.
- If RPC_Client does not issue a portmapper query, but proceeds to directly communicate on the nfsprog port (100003, as specified in the RPC Service Properties window for the nfsprog service), the Firewall queries portmapper and allows the connection only if the port number (in the portmapper reply) is also 100003.
RPC
Tell me about the fields...
- Name - should be identical to the server service name (as it appears in the services file), so that the Firewall will be able to retrieve some properties automatically. If NIS is being used, the Firewall will automatically retrieve the information from the NIS.
- Program Number - can be retrieved from the RPC database, if it is a standard service. If the program number is omitted, the Firewall attempts to resolve the program number (based on the service's name) when the policy is installed. If resolution fails, an error message is issued and installation will fail.
- Keep connections open after policy has been installed - keeps all control and data connections open until the connections have ended, even if they are not allowed under the new policy. This overrides the settings in the Connection Persistence page. If you change this property, the change will not affect open connections, but only future connections.