# Is portmap safe?

## jchoisy

Hello everybody.

Here I come with some simple/stupid questions, which anyway got me out of sleep... I just setup my full gnome desktop, which I love, and noticed that file changes were not seen automagically by nautilus. A little bit of googling revealed that that's what FAM is used for. No problmem, after a little bit more reading, both portmap and famd are added to my default runlevel. Now, here comes my concern. If I issue a little 'netstat -a | grep tcp', I notice that portmap opens tcp ports, so does cups. I don't like that. I just want to use my printer and to see new files popping up on my filemannager instantly, without having to 'reload'. Looking at each app's config files, I think I managed to limit access to the sole and only trustable host on earth, my sweet localhost. But still, why are those tcp thingies needed? Couldn't a simple unix socket do the job?

Actually, I have nothing against tcp ports, but how can we be sure of the security this provides? Maybe my fear only comes from my lack of knowledge (and I really hope so)... So please, someone, bring my sleep back. I can live without FAM I guess, but having to restart the cups daemon manually each time I want to print something would be a great hassle....

Thanks for any info...

----------

## Janne Pikkarainen

You could always protect those open ports from external access with iptables or some other firewall.

----------

## jasno

So is it safe, or not?  And if not, rather than mess with building a firewall and then have to change its configuration everytime I need to accept something new, can I just restrict portmap to local connections?

----------

## Joe

 *jasno wrote:*   

> So is it safe, or not?  And if not, rather than mess with building a firewall and then have to change its configuration everytime I need to accept something new, can I just restrict portmap to local connections?

 

Define safe....

Seriously, I do see the problem, and I have the very same philosophy: An open port is a possible security risk.

portmap is a very sad thing IMHO. I wish there wouldn't be such a thing. Why can't fam simply use one single port and - bingo - no further need for portmap?

Back to your question:

Create those two files:

/etc/hosts.allow

/etc/hosts.deny

and write in the first:

portmap: 127.0.0.1

and in the second:

portmap: ALL

This gives additional security, though I am still not satisfied with the situation.

Regards,

Joe

----------

