Subject: Re: restricting NFS (and associated services) to one IP address
To: None <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 11/04/2006 20:37:26
On Sat, 04 Nov 2006 19:08:23 +0000, email@example.com wrote:
> > The rpc services that register with the portmapper get a random free
> > port between 512 and 1023. ipfilter's rpc-proxy is basically untested
> > and supports only udp; pf doesn't have any portmapper support at al ,
> > AFAIK. This means that on a server, you have to open up the
> > [512,1023] ports window unconditionally - and block it on the other
> > interface.
> > It can be done, but it's awkward, and if you run ipfilter stateful,
> > you break linux clients kern/27164).
> > hauke
> Here's something i thought about while in bed this morning (I know, it's sad
> that i was thinking about computers in bed):
> If you have an NFS client machine and an NFS server machine connected only
> to each other on separate interfaces that aren't connected a larger network
> on those interfaces, why would you have to open up such a great port range?
> Couldn't you only allow let's say tcp/udp ports 1000-1023 and wouldn't that
> be enough for those NFS services that use rpcbind?
There are no guarantees about that. Solaris, for example, tends to have
RPC services in the 32K range.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb