Subject: Re: restricting NFS (and associated services) to one IP address
To: None <netbsd-users@NetBSD.org>
From: None <email@example.com>
Date: 11/05/2006 16:49:29
Steven M. Bellovin writes:
> On Sat, 04 Nov 2006 19:08:23 +0000, firstname.lastname@example.org wrote:
>> > The rpc services that register with the portmapper get a random free
>> > port between 512 and 1023. ipfilter's rpc-proxy is basically untested
>> > and supports only udp; pf doesn't have any portmapper support at al ,
>> > AFAIK. This means that on a server, you have to open up the
>> > [512,1023] ports window unconditionally - and block it on the other
>> > interface.
>> > It can be done, but it's awkward, and if you run ipfilter stateful,
>> > you break linux clients kern/27164).
>> > hauke
>> Here's something i thought about while in bed this morning (I know, it's sad
>> that i was thinking about computers in bed):
>> If you have an NFS client machine and an NFS server machine connected only
>> to each other on separate interfaces that aren't connected a larger network
>> on those interfaces, why would you have to open up such a great port range?
>> Couldn't you only allow let's say tcp/udp ports 1000-1023 and wouldn't that
>> be enough for those NFS services that use rpcbind?
> There are no guarantees about that. Solaris, for example, tends to have
> RPC services in the 32K range.
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I realized after i wrote that it wasn't specific enough and someone would
point it out :-)
Say if both machines are NetBSD, would what i was thinking about make sense?