Subject: Re: restricting NFS (and associated services) to one IP address
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 11/04/2006 19:08:23
> The rpc services that register with the portmapper get a random free
> port between 512 and 1023. ipfilter's rpc-proxy is basically untested
> and supports only udp; pf doesn't have any portmapper support at al ,
> AFAIK. This means that on a server, you have to open up the
> [512,1023] ports window unconditionally - and block it on the other
> It can be done, but it's awkward, and if you run ipfilter stateful,
> you break linux clients kern/27164).
Here's something i thought about while in bed this morning (I know, it's sad
that i was thinking about computers in bed):
If you have an NFS client machine and an NFS server machine connected only
to each other on separate interfaces that aren't connected a larger network
on those interfaces, why would you have to open up such a great port range?
Couldn't you only allow let's say tcp/udp ports 1000-1023 and wouldn't that
be enough for those NFS services that use rpcbind?