Re: How to configure npf to restrict nfs to localhost

To: "NetBSD Users's Discussion List" <netbsd-users%netbsd.org@localhost>
Subject: Re: How to configure npf to restrict nfs to localhost
From: Hauke Fath <hf%spg.tu-darmstadt.de@localhost>
Date: Tue, 30 Jun 2020 15:36:07 +0200

On 2020-06-29 23:24, Greg A. Woods wrote:

Stopping rpcbind from revealing ports other RPC servers are listening on
is the primary thing you need to do.  You can do this with filters
blocking TCP and UDP ports #111, and/or with rpcbind itself using its
built-in libwrap support, like so:

In your /etc/hosts.allow file you can restrict rpcbind to given
networks:

	rpcbind:PARANOID:DENY
	rpcbind:0.0.0.0, 127.0.0.1, 10.0.1.0/255.255.255.0 :ALLOW
	rpcbind:ALL:DENY

In order for rpcbind(8) to actually heed /etc/hosts.{allow,deny} itneeds to be started with


     -W      Enable libwrap (TCP wrappers) support.

which for whatever reason is not the default.

The default

     -l      Turns on libwrap connection logging.

will just log.

Cheerio,
Hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email	        Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344

Follow-Ups:
- Re: How to configure npf to restrict nfs to localhost
  - From: Greg A. Woods

References:
- How to configure npf to restrict nfs to localhost
  - From: Mayuresh
- Re: How to configure npf to restrict nfs to localhost
  - From: Greg A. Woods

Prev by Date: *.fr.netbsd.org downtime
Next by Date: pkgsrc-2020Q2 released
Previous by Thread: Re: How to configure npf to restrict nfs to localhost
Next by Thread: Re: How to configure npf to restrict nfs to localhost
Indexes:

Home | Main Index | Thread Index | Old Index