Re: How to configure npf to restrict nfs to localhost

To: NetBSD Users's Discussion List <netbsd-users%netbsd.org@localhost>
Subject: Re: How to configure npf to restrict nfs to localhost
From: "Greg A. Woods" <woods%planix.com@localhost>
Date: Mon, 29 Jun 2020 14:24:08 -0700

At Mon, 29 Jun 2020 10:00:06 +0530, Mayuresh <mayuresh%acm.org@localhost> wrote:
Subject: How to configure npf to restrict nfs to localhost
> 
> Looking to share host FS with a qemu guest using NFS.
> 
> Do not want to expose the NFS ports to outside world. Firstly, what all
> ports are in question - is it 111, 1000 and 2049 (rpc,mount,nfs
> respectively) or is there anything else involved?
> 
> Any hints for how to block these ports for outside world and keep open for
> localhost?

Stopping rpcbind from revealing ports other RPC servers are listening on
is the primary thing you need to do.  You can do this with filters
blocking TCP and UDP ports #111, and/or with rpcbind itself using its
built-in libwrap support, like so:

In your /etc/hosts.allow file you can restrict rpcbind to given
networks:

	rpcbind:PARANOID:DENY
	rpcbind:0.0.0.0, 127.0.0.1, 10.0.1.0/255.255.255.0 :ALLOW
	rpcbind:ALL:DENY

Make sure you do not run rpcbind(8) with its "-i" (insecure) option!

Note you may want to enable NFS server locking support with
"lockd=${nfs_server}" and "statd=${nfs_server}" in /etc/rc.conf, i.e. if
your virtual machine runs an OS that has client support for NFS locking
(NetBSD does not).

In your /etc/exports file you can further restrict an exported
filesystem to a specified network range like this example:

	/ -alldirs -maproot=nobody -network 10.0.1.0 -mask 255.255.255.0

Further filtering external traffic to/from all possible RPC ports,
i.e. all of those in the range 600-1023 (IPPORT_RESERVEDMIN to
IPPORT_RESERVED-1), 49152-65535 (sysctl net.inet.ip.anonportmin to
sysctl net.inet.ip.anonportmax), and 2049 (NFS_PORT), is another added
layer of protection.  Filtering the whole ranges of reserved and
anonymous ports might be a bit too strict though.  Unfortunately
rpcbind(8) doesn't have hooks to register filters for registered RPC
services, though one could periodically run "rpcinfo -p" to get the list
of actual RPC ports in use and use that to update the filters.

-- 
					Greg A. Woods <gwoods%acm.org@localhost>

Kelowna, BC     +1 250 762-7675           RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>     Avoncote Farms <woods%avoncote.ca@localhost>

Attachment: pgpyohTXXrtC8.pgp
Description: PGP signature

Follow-Ups:
- Re: How to configure npf to restrict nfs to localhost
  - From: Hauke Fath

References:
- How to configure npf to restrict nfs to localhost
  - From: Mayuresh

Prev by Date: Re: fork and COW
Next by Date: Re: fork and COW
Previous by Thread: Re: How to configure npf to restrict nfs to localhost
Next by Thread: Re: How to configure npf to restrict nfs to localhost
Indexes:

Home | Main Index | Thread Index | Old Index