Subject: restricting NFS (and associated services) to one IP address
To: None <netbsd-users@netbsd.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 10/09/2006 00:24:48
I have some machines with two Ethernet interfaces. I'd like to run an NFS
server, but I want to restrict it to access via just one of the two
interfaces. I don't see any easy way to do that.
An obvious approach is to use pf or ipf, but that doesn't play well with
portmapper. On my other NFS machine, I see UDP and/or TCP ports 1016,
1017, 1018, 1019, 1020, 1021, and 1022 in use at the moment, for rpcbind,
mountd, lockd, and statd. rpcbind apparently supports
host.allow/hosts.deny, but it isn't clear if that applies to packets sent
directly to the other services. Any better suggestions?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb