Subject: Re: restricting NFS (and associated services) to one IP address
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: netbsd-users
Date: 10/09/2006 08:46:13
On Mon, Oct 09, 2006 at 08:36:03AM -0400, Steven M. Bellovin wrote:
> On Mon, 9 Oct 2006 05:01:15 -0700, "Andy Ruhl" <acruhl@gmail.com> wrote:
>
> > I just used pf to block everything I didn't want one of my interfaces to see.
> >
> > Sorry for being dense, but why does this cause a problem with the
> > portmapper in your setup? I don't seem to have any problems, but I
> > don't have a large number of NFS clients either...
> >
> There are no guarantees about what port numbers are assigned. Today, on
> one particular reboot, it used the ports I mentioned. A code change or a
> boot order change could change that, which would silently leave the
> services exposed.
Were I you, I'd personally consider installing a "default block" set of
rules on the interface on which I didn't want RPC services to appear.
But you probably don't want to do that. It would be easy enough to adjust
portmap, mountd, and the kernel NFS server to bind only a specified IP
address. Why not give it a try?
Thor