misc/58175: firewall nfs daemons

[campbell+netbsd%mumble.net@localhost]

>Number:         58175
>Category:       misc
>Synopsis:       firewall nfs daemons
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 19 19:55:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10
>Organization:
The NfsNpf Foundation
>Environment:
>Description:
It is generally a bad idea to expose nfs to the open internet.

But `nfs' means several things:

- the nfs file system protocol, on port 2049
- the portmapper protocol, on port 111
- the rpcbind protocol, on a port assigned by rpcbind(8)
- the mount protocol, on a port assigned by rpcbind(8) or specified with the -p option to mountd(8)
- the status protocol, on a port assigned by rpcbind(8) for rpc.statd(8)
- the lock, quota, ..., protocols, similarly

Filtering ports 2049 and 111 is easy.  Filtering the mount protocol in particular is easy with the `mountd -p' option.  Filtering all network access to an NFS server is easy.  The NFS daemons also usually allow host-based access control with hosts_access(5) (/etc/hosts.allow, /etc/hosts.deny), and perhaps one could combine that with ingress filtering on a separate firewall host.

But it's not clear how to, e.g., limit access to the NFS daemons to be from a particular network interface like wg0 while rejecting it on bge0, with npf(7).
>How-To-Repeat:
Attempt to follow the admonition at https://www.netbsd.org/docs/guide/en/chap-net-services.html#chap-net-services-nfs to run NFS only on firewalled networks, on a host with multiple interfaces where some interfaces are safe and others are not.
>Fix:
Yes, please!  Whatever the right strategy is:

1. This should be suggested in the guide.
2. This should be referenced in appropriate man pages.