On Oct 8, 2006, at 9:24 PM, Steven M. Bellovin wrote:

> I have some machines with two Ethernet interfaces.  I'd like to run  
> an NFS
> server, but I want to restrict it to access via just one of the two
> interfaces.  I don't see any easy way to do that.
>
> An obvious approach is to use pf or ipf, but that doesn't play well  
> with
> portmapper.  On my other NFS machine, I see UDP and/or TCP ports 1016,
> 1017, 1018, 1019, 1020, 1021, and 1022 in use at the moment, for  
> rpcbind,
> mountd, lockd, and statd.  rpcbind apparently supports
> host.allow/hosts.deny, but it isn't clear if that applies to  
> packets sent
> directly to the other services.  Any better suggestions?


Hi there!

I suggest you re-read 'man 5 exports' a little more closely.  You can  
restrict NFS exports to NIS groups, netgroups, individual IP  
addresses, networks, etc.  right in the /etc/exports file itself.    
Here is the example block from the manual page:

      For example:

            /usr /usr/local -maproot=0:10 friends
            /usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16
            /usr -ro -mapall=nobody
            /u -maproot=bin: -network 131.104.48 -mask 255.255.255.0
            /a -network 192.168.0/24
            /a -network 3ffe:1ce1:1:fe80::/64
            /u2 -maproot=root friends
            /u2 -alldirs -kerb -network cis-net -mask cis-mask


HTH,

Byron