# rpcinfo: can't contact portmapper: RPC: Remote system error - Permission denied



## eydaimon (Nov 6, 2016)

According to /etc/hosts.allow:

# Rpcbind is used for all RPC services; protect your NFS!
# Rpcbind should be running with -W option to support this.

So I added rpcbind_flags="-W" in /etc/rc.conf and restarted rpcbind(8).
I also added rpcbind : 192.168.0.0/255.255.0.0 : allow to /etc/hosts.allow.

After doing this, NFS exports promptly stopped working everywhere and I get the following errors:


```
root@luffy /etc# showmount -e localhost
RPC: Port mapper failure
showmount: can't do exports rpc
```


```
root@luffy /etc# rpcinfo -p localhost
rpcinfo: can't contact portmapper: RPC: Remote system error - Permission denied
```


Restoring everything to its previous state is failing (iow, removing rpcbind_flags).

What's going on?

FreeBSD luffy 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1


----------



## kpa (Nov 6, 2016)

Sun RPC, NFS and all the related services were never designed with the kind of security requirements in mind that we now take for granted. The best you can do is limit those services to a trusted LAN and don't allow anyone else access to them. To do so use a firewall, not TCP wrappers that are seriously outdated and deprecated.


----------



## eydaimon (Nov 6, 2016)

```
root@luffy /etc# ipfw show
00100  84753112  23657466450 allow ip from 192.168.0.0/16 to me
00100         0            0 allow ip from 192.168.0.0/16 to me
00110         0            0 allow ip from 192.168.0.0/16 to me
00110         0            0 allow ip from 192.168.0.0/16 to me
00110         0            0 allow ip from 192.168.0.0 to me
00110         0            0 allow ip from 192.168.0.0/16 to me
00200     94674     11009652 allow tcp from any to any dst-port 22
00300       689       849924 allow tcp from any to me dst-port 23507
04000        51         3404 deny tcp from any to me dst-port 8080
04010        11          876 deny ip from any to me dst-port 111,2049
04020         6          264 deny tcp from any to me dst-port 8888
04030         6          400 deny tcp from any to me dst-port 8081
04040         2          140 deny tcp from any to me dst-port 5050
64000 267227785 247700405329 allow ip from any to any
65535         0            0 deny ip from any to any
```


I've had this rule on 111 forever, but I'm not sure why it's activated now.

regardless, `showmount -e`  still doesn't work even if I remove rule 4010

any ideas how to actually fix this aside from telling me I shouldn't have done what `/etc/hosts.allow` told me to do?


----------



## kpa (Nov 6, 2016)

Run tcpdump(8) on the interface and also turn on logging on the firewall to see what is blocked and why.


----------



## eydaimon (Nov 6, 2016)

I gave up and rebooted the host. works fine now.


----------

