On Mon, Oct 09, 2006 at 08:36:03AM -0400, Steven M. Bellovin wrote:
> On Mon, 9 Oct 2006 05:01:15 -0700, "Andy Ruhl" <acruhl@gmail.com> wrote:
> 
> > I just used pf to block everything I didn't want one of my interfaces to see.
> > 
> > Sorry for being dense, but why does this cause a problem with the
> > portmapper in your setup? I don't seem to have any problems, but I
> > don't have a large number of NFS clients either...
> > 
> There are no guarantees about what port numbers are assigned.  Today, on
> one particular reboot, it used the ports I mentioned.  A code change or a
> boot order change could change that, which would silently leave the
> services exposed.

Were I you, I'd personally consider installing a "default block" set of
rules on the interface on which I didn't want RPC services to appear.

But you probably don't want to do that.  It would be easy enough to adjust
portmap, mountd, and the kernel NFS server to bind only a specified IP
address.  Why not give it a try?

Thor