Portmap, a UNIX daemon made to supposedly make it easier for everyone to find out what ports services are listening on, seems to be dead essential in ad-hoc Ethernet-to-Ethernet networking with a static IP. I always give my home boxes IP’s in the strictly forbidden IP range 10.x.x.x (I’d be better off taking 192.168.x.x) and connect them with a CAT5E cable (for gigabit speeds or at least half of it) whenever I feel like it. I was dumbfounded to find that two Macbooks, one my own and one out of the box, will simply completely drown in an ocean of confusion when the daemon isn’t running on the serving system.
The context-sensitive autoconfigurator for network settings in OS X didn’t like it at all. I also have strict rules against named (the DNS server), bonjour (zeroconf) and I let in AFP with a temporary rule. No catch. The connecting party couldn’t find services, and the link refused to establish in most cases (i.e. jumping from self-assigned 144. addresses to my own 10.x range). I could disable the firewall. OK, still nothing. Obviously, this isn’t related to my nazi ipfw configuration. Could it be that I have stopped some services from running in the first place? Yup. I had portmap disabled. Bonjour was fired up and restricted with ipfw because Aperture throws a fit without it running (Read: it gives an error message with the rather descriptive text: “Error. 2.“.), which is a bit insane as I haven’t found it to be a nice enough app to go share my photo collection over the network with bonjour, which iPhoto does for free.
Nearing the end of this rant, it’s obvious what I am telling. Hardening always gives you trouble to get into your own computer. You know, that really the way I like it. But I don’t consider acquiring a link a real security issue, so I’ll have to fix this. Strangely, whatever security measure I took in the how-to’s I served, did not affect these problems. Rather, it was the portmap daemon that ships with OS X that seems to be much more essential to it’s networking than I thought. I’ll look into this, because portmap has it’s history, especially with RHEL. I don’t know what those guys in Cupertino were thinking when they were soldering in portmap with liquid steel, but I’d rather just run without a whole lot of services.