I have some machines with two Ethernet interfaces.  I'd like to run an NFS
server, but I want to restrict it to access via just one of the two
interfaces.  I don't see any easy way to do that.

An obvious approach is to use pf or ipf, but that doesn't play well with
portmapper.  On my other NFS machine, I see UDP and/or TCP ports 1016,
1017, 1018, 1019, 1020, 1021, and 1022 in use at the moment, for rpcbind,
mountd, lockd, and statd.  rpcbind apparently supports
host.allow/hosts.deny, but it isn't clear if that applies to packets sent
directly to the other services.  Any better suggestions?

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb