On 10/10/06, Michael van Elst <mlelstv@serpens.de> wrote:
> acruhl@gmail.com ("Andy Ruhl") writes:
>
> >If it were possible to bind NFS to an IP and not expose them to the
> >internet (thereby implying a multi homed host), would your answer be
> >the same?
>
> Mine would be the same. There are several complex mechanisms to
> inject IP packets to arbitrary destinations, your firewall or
> packet filter add a protection layer in front of these.h
>
> Binding to an non-public IP is a weak safetey measure.
>

Can you please expand on this a little more?  In an earlier email, you
seem to imply that using a "firewall"-type software to block packets
is secure, but now you're saying that not listening to an interface is
insecure.  Do you have reason to believe that IPF/PF is -better- at
denying access to a service than the netbsd networking implementation?
 Is there some bug where one could jump from one network to another?

If you're not listening on a network, where's the attack?