Re: bin/37876: rpcbind(8) and related services should be able to bind(2) to a specific interface

[David Holland <dholland-bugs%netbsd.org@localhost>]

The following reply was made to PR bin/37876; it has been noted by GNATS.

From: David Holland <dholland-bugs%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: bin/37876: rpcbind(8) and related services should be able to
 bind(2) to a specific interface
Date: Mon, 8 Aug 2016 04:37:09 +0000

 On Sat, Jan 26, 2008 at 09:00:01AM +0000, mmondor%pulsar-zone.net@localhost wrote:
  > SunRPC services all seem to bind to all interfaces.
  > Considering the security issues involved using those services,
  > it would be ideal if they could be bound to a specific interface
  > (or various specific ones).
 
 While in general this seems like a good idea, it's a bit more
 complicated than just that. AFAICR, traditionally, the portmapper will
 forward requests, with the result that any request might appear to
 come from any local interface... I'm not sure if our rpcbind does that
 (I would hope not) but we ought to try to get some clear answers
 before proceeding.
 
 Also, for the record these services are started from inetd so inetd is
 in charge of binding:
    - rpc.rquotad
    - rpc.rstatd
    - rpc.rusersd
    - rpc.rwalld
    - rpc.sprayd
    - rpc.pcnfsd
 
 so only these are started from rc.d and would need binding glop:
    - rpc.bootparamd
    - rpc.lockd
    - rpc.statd
    - rpc.yppasswdd
    - ypserv
 
 Am I forgetting any others? (Besides perhaps the nfs server in the
 kernel...)
 
 As a side note, it seems that there isn't any preconfigured way to run
 pcnfsd at all; on the other hand, pcnfsd is pretty useless nowadays.
 
 For that matter, rstatd, rusersd, rwalld, sprayd, and yppasswdd are
 all pretty useless nowadays too.
 
 -- 
 David A. Holland
 dholland%netbsd.org@localhost