There is an open port 111 (sunrpc) that I want to secure. On a fresh install of Solaris, how can I get this to only listen on localhost? This, I think, would be a cleaner way than using ipfilter, if I could just have it not listening to begin with.
Again, this is a fresh install, so I am not worried about 'breaking' anything. Don't care to have server-to-server stuff like syslog or nfs.
Although the port is open by default on Solaris (at least 10+) rpcbind not allow remote clients, so there is no need to take any additional actions to secure it.
If you do find that you need to allow remote client access, you can enable tcp_wrappers support for rpcbind and control access using tcpwrappers. The commands to enable tcpwrappers are:
svccfg -s svc:/network/rpc/bind setprop config/enable_tcpwrappers = true
svcadm refresh svc:/network/rpc/bind
Potentially helpful link 1 suggests disabling the service in /etc/hosts.deny:
portmap: ALL
Another helpful link says it doesn't matter.
