Letting NIS through Linux firewalls
I’ve had to do this a few times and I always forget and have to learn again. So here I am, memorizing it in my off-brain cache…
Overview of NIS
A Network Information Service (NIS) is a system for sharing service configuration info. It’s old, insecure, but still very useful. It relies on having a master on which we maintain the config info in text files called “NIS maps” and slaves that copy the maps from the master and make them available to the clients, the servers that use the config. info.
When we change a map on the master, we run make -C /var/yp (which some of us have aliased to “ypmake”). Make examines each map in turn and if it has changed, runs makedbm to copy the data from the map into a DBM file. It’s those DBM files that ypserv on a slave copies from the master, using ypxfrd, and then ultimately reads to answer a client’s questions – like “what is mdiehn’s UID?”
The communications between master and slave servers and between the clients and the slaves are carried over RPC and that involves the RPC Port Mapper. So, to make this all work, there are four daemons on at least three computers that need to be able to talk to each other:
- ypbind – runs on clients machines and talks to ypserv. Maintains the NIS binding inf. for the client.
- ypserv – Runs on the NIS servers, both master and the slaves. Makes the NIS inf. available to clients.
- ypxrfd – runs on the slave servers and helps copy the DBM files from the master to the slave.
- portmap – runs on all the machines to facilitate client-server RPC connections.
Changes to NIS daemon startup.
First, make your slave server start ypserv and ypxrfd with specific ports so you know what they’re register with the RPC portmap daemon and we can configure its firewall to let packets to those ports in. If you don’t they will pick random, high numbered ports to register with portmap and we won’t know what to put in the firewall config.
In CentOS or RHEL, you do that by adding this to the /etc/sysconfig/network file …
YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"
… and then restart the services:
service ypserv restart
service ypxrd restart
Of course, on CentOS 7 and RHEL 7 or other systemd systems, we use
systemctl restart ypserv ypxfrd
Firewall Changes
Adjust your firewall configs to allow traffic to those ports *and* to the RPC port mapper’s own port, 111. These are from iptables-save on the server I worked on today:
Raw iptables – *shudder*
So you have this in case you need it.
iptables -A net-fw -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A net-fw -p udp -m udp --dport 111 -j ACCEPT
iptables -A net-fw -p tcp -m tcp --dport 834 -j ACCEPT
iptables -A net-fw -p udp -m udp --dport 834 -j ACCEPT
iptables -A net-fw -p tcp -m tcp --dport 835 -j ACCEPT
iptables -A net-fw -p udp -m udp --dport 835 -j ACCEPT
And then save your iptables config however you Distro docs say to do it.
Using shorewall
If you’re working with Shorewall, like I am on this HPC cluster head-node, you can add these lines to the /etc/shorewall/rules files, which is the stored config,
# -- Allow RPC portmapper traffic from outside to the master
ACCEPT net fw tcp 111 # portmapper
ACCEPT net fw udp 111
# — Allow RPC to assign ports for ypserv on the master
ACCEPT net fw tcp 834 # ypserv
ACCEPT net fw udp 834
ACCEPT net fw tcp 835 # ypxfrd
ACCEPT net fw udp 835
And then run shorewall reload to pick up the changes.
Other firewalls?
There’s UFW on some Ubuntu releases, and there’s firewalld on some RHEL and CentOS and various other systems. If you want me to add them here, just send me what you want put in.
Helpfull docs
Besides the links I gave above, I found these useful.
- RedHat 3 Securing NIS doc that’s still relevant.
- Securing Portmap – from the same doc.
- Basic iptables usage – again, same old docs, still useful. Especially for saving your rules by hand.