Subject: Re: restricting NFS (and associated services) to one IP address
To: None <diro@nixsys.bz>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 11/04/2006 20:37:26
On Sat, 04 Nov 2006 19:08:23 +0000, diro@nixsys.bz wrote:

> > The rpc services that register with the portmapper get a random free 
> > port between 512 and 1023. ipfilter's rpc-proxy is basically untested 
> > and supports only udp; pf doesn't have any portmapper support at al , 
> > AFAIK. This means that on a server, you have to open up the 
> > [512,1023] ports window unconditionally - and block it on the other 
> > interface. 
> >
> > It can be done, but it's awkward, and if you run ipfilter stateful, 
> > you break linux clients kern/27164). 
> >
> >	hauke
> 
> Here's something i thought about while in bed this morning (I know, it's sad 
> that i was thinking about computers in bed): 
> 
> If you have an NFS client machine and an NFS server machine connected only 
> to each other on separate interfaces that aren't connected a larger network 
> on those interfaces, why would you have to open up such a great port range? 
> Couldn't you only allow let's say tcp/udp ports 1000-1023 and wouldn't that 
> be enough for those NFS services that use rpcbind? 
> 
There are no guarantees about that.  Solaris, for example, tends to have
RPC services in the 32K range. 


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb