[lug] Firewall / Lockdown questions

[dio2002 at indra.com]

When i run netstat and or nmap on what is going to be a web server:

PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
930/tcp  open  unknown
3306/tcp open  mysql

ports 930 and 111 (rpc.statd & portmap) seem to be open for connection
from the world.  the following init.d services start these processes:

nfslock -> port 930 rpc.statd
portmap -> port 111 portmap

if i stop these services, the disappear from netstat / nmap listings which
i think is what i want.  questions:

1) is there any reason why nfslock should be running if i don't have nfs
running? oddly enough the system installed by default to disable nfs yet
enabled nfslock

2) Is there any reason why i want portmap running?  I'm not sure but it
looks like portmap was probably needed to serve the requests to nfs and
nfslock which is possibly why it's enabled?  What typical services is
portmap a frontend for and is there a way to discover that on a running
system:

 # rpcinfo -p localhost
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    927  status
    100024    1   tcp    930  status


Also, sendmail is enabled in chkconfig.  It shows up in both nmap /
netstat.  My server will only need the ability to send outbound
error/status mail FROM the server to an external admin email address.

3) Do i need to have this sendmail service enabled for simple outgoing
mail as described?   Basically how do i configure minimal outbound
sendmail capability while keeping either:

a) the port entirely closed / invisible (not sure if that's even possible) or
b) locked down (visible and open but only sends from local host and
accepts no inbound - i'm thinking this can be done in a config file
without the need for iptables rules).

thanks