RPC Binding and Firewalls
[Notes issued with the release of PIKT 1.18.0pre2, which introduced the new feature: RPC binding to a specific system port, facilitating PIKT's use with firewalls.]
Fulfilling user requests, beginning with pikt-1.18.0pre2, you may now bind piktc_svc to a specific system port (by default 850), facilitating PIKT's use with firewalls.
When installing PIKT, the 'configure' operation will set the piktc_svc port number to 850 by default. You can change this by instead doing
../configure ... --enable-rpcprtnum=XXX ...
where XXX is some other unused system port. Since piktc_svc is (definitely!) not a public service, changing 850 to some other unused port number is advisable.
After the 'make' step, you will want to add this line to PIKT.conf (on both piktmaster and slave systems)
which will have PIKT use only TCP and avoid using UDP altogether. (There is little reason not to do this.)
When you run the compiled piktc_svc binary, it binds itself to port 850 (or whatever other port number you specified in the 'configure' step) for TCP traffic. The portmapper will assign some other unspecified port for UDP traffic, but since you have set tcp_only to TRUE (or YES or the equivalent) in PIKT.conf, UDP becomes irrelevant.
Assuming you have blocked all unused system ports at the firewall, you may now unblock the designated PIKT port. With Linux iptables, you might for example add the rule
iptables -A IN_NETWORK -p tcp --syn -d $OVERTHERE -s $PIKTMASTER --dport 850 -j ACCEPT
where $PIKTMASTER is the IP address of the piktmaster system.
Note that you still need to run the portmapper, also unblock it at the firewall. For example,
iptables -A IN_NETWORK -p tcp --syn -d $OVERTHERE -s $PIKTMASTER --dport 111 -j ACCEPT
(You don't need to unblock any portmapper-assigned piktc_svc UDP port if you have set tcp_only to TRUE in PIKT.conf.)
At least now you may block all other unused system ports. You no longer need to keep them open because, a priori, you didn't know which system port the portmapper would assign piktc_svc to use.
In our implementation of this, we had to hack the rpcgen transport code, replacing (in `mkdir ./config.guess`/src/piktc/rpc_svc.c)
transp = svctcp_create(RPC_ANYSOCK, 0, 0);
transp = svctcp_create(getsd(), 0, 0);
where getsd() is a newly created function (in src/lib/net.c) that achieves the specific-port RPC binding.
The above is example Linux rpcgen-created code. We have not been able to test any of this on other operating systems. Please report any problems or differences in your operating system environment.
Note that if, for any reason, you don't want to bind piktc_svc to a specific port number (before pikt-1.18.0pre2 the default), you may do this in the 'configure' step
../configure ... --disable-rpcprtnum ...
which places piktc_svc (TCP) port assignment back under the control of the portmapper.
For more examples, see Developer's Notes.