Subject: Re: restricting NFS (and associated services) to one IP address
To: Andy Ruhl <acruhl@gmail.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 10/09/2006 08:36:03
On Mon, 9 Oct 2006 05:01:15 -0700, "Andy Ruhl" <acruhl@gmail.com> wrote:
> I just used pf to block everything I didn't want one of my interfaces to see.
>
> Sorry for being dense, but why does this cause a problem with the
> portmapper in your setup? I don't seem to have any problems, but I
> don't have a large number of NFS clients either...
>
There are no guarantees about what port numbers are assigned. Today, on
one particular reboot, it used the ports I mentioned. A code change or a
boot order change could change that, which would silently leave the
services exposed.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb