> The rpc services that register with the portmapper get a random free 
> port between 512 and 1023. ipfilter's rpc-proxy is basically untested 
> and supports only udp; pf doesn't have any portmapper support at al , 
> AFAIK. This means that on a server, you have to open up the 
> [512,1023] ports window unconditionally - and block it on the other 
> interface. 
>
> It can be done, but it's awkward, and if you run ipfilter stateful, 
> you break linux clients kern/27164). 
>
>	hauke

Here's something i thought about while in bed this morning (I know, it's sad 
that i was thinking about computers in bed): 

If you have an NFS client machine and an NFS server machine connected only 
to each other on separate interfaces that aren't connected a larger network 
on those interfaces, why would you have to open up such a great port range? 
Couldn't you only allow let's say tcp/udp ports 1000-1023 and wouldn't that 
be enough for those NFS services that use rpcbind? 

!tr