Am 09.10.2006 um 5:01 Uhr -0700 schrieb Andy Ruhl:
>>  An obvious approach is to use pf or ipf, but that doesn't play well with
>>  portmapper.  On my other NFS machine, I see UDP and/or TCP ports 1016,
>>  1017, 1018, 1019, 1020, 1021, and 1022 in use at the moment, for rpcbind,
>>  mountd, lockd, and statd.  rpcbind apparently supports
>>  host.allow/hosts.deny, but it isn't clear if that applies to packets sent
>>  directly to the other services.  Any better suggestions?
>
>I didn't do too much research on this, but I needed to solve the same problem.
>
>I just used pf to block everything I didn't want one of my interfaces to see.
>
>Sorry for being dense, but why does this cause a problem with the
>portmapper in your setup?

The rpc services that register with the portmapper get a random free 
port between 512 and 1023. ipfilter's rpc-proxy is basically untested 
and supports only udp; pf doesn't have any portmapper support at al , 
AFAIK. This means that on a server, you have to open up the 
[512,1023] ports window unconditionally - and block it on the other 
interface.

It can be done, but it's awkward, and if you run ipfilter stateful, 
you break linux clients kern/27164).

	hauke

-- 
/~\  The ASCII Ribbon Campaign                    Hauke Fath
\ /    No HTML/RTF in email	        Institut für Nachrichtentechnik
  X     No Word docs in email	                  TU Darmstadt
/ \  Respect for open standards              Ruf +49-6151-16-3281