Subject: Re: restricting NFS (and associated services) to one IP address
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Andy Ruhl <acruhl@gmail.com>
List: netbsd-users
Date: 10/09/2006 05:01:15
On 10/8/06, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
> I have some machines with two Ethernet interfaces.  I'd like to run an NFS
> server, but I want to restrict it to access via just one of the two
> interfaces.  I don't see any easy way to do that.
>
> An obvious approach is to use pf or ipf, but that doesn't play well with
> portmapper.  On my other NFS machine, I see UDP and/or TCP ports 1016,
> 1017, 1018, 1019, 1020, 1021, and 1022 in use at the moment, for rpcbind,
> mountd, lockd, and statd.  rpcbind apparently supports
> host.allow/hosts.deny, but it isn't clear if that applies to packets sent
> directly to the other services.  Any better suggestions?

I didn't do too much research on this, but I needed to solve the same problem.

I just used pf to block everything I didn't want one of my interfaces to see.

Sorry for being dense, but why does this cause a problem with the
portmapper in your setup? I don't seem to have any problems, but I
don't have a large number of NFS clients either...

Andy