Subject: Re: restricting NFS (and associated services) to one IP address
To: None <>
From: None <>
List: netbsd-users
Date: 11/05/2006 16:49:29
Steven M. Bellovin writes: 

> On Sat, 04 Nov 2006 19:08:23 +0000, wrote: 
>> > The rpc services that register with the portmapper get a random free 
>> > port between 512 and 1023. ipfilter's rpc-proxy is basically untested 
>> > and supports only udp; pf doesn't have any portmapper support at al , 
>> > AFAIK. This means that on a server, you have to open up the 
>> > [512,1023] ports window unconditionally - and block it on the other 
>> > interface. 
>> >
>> > It can be done, but it's awkward, and if you run ipfilter stateful, 
>> > you break linux clients kern/27164). 
>> >
>> >	hauke 
>> Here's something i thought about while in bed this morning (I know, it's sad 
>> that i was thinking about computers in bed):  
>> If you have an NFS client machine and an NFS server machine connected only 
>> to each other on separate interfaces that aren't connected a larger network 
>> on those interfaces, why would you have to open up such a great port range? 
>> Couldn't you only allow let's say tcp/udp ports 1000-1023 and wouldn't that 
>> be enough for those NFS services that use rpcbind?  
> There are no guarantees about that.  Solaris, for example, tends to have
> RPC services in the 32K range.  
> 		--Steven M. Bellovin,

I realized after i wrote that it wasn't specific enough and someone would 
point it out :-) 

Say if both machines are NetBSD, would what i was thinking about make sense?