tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NFS daemon port numbers for firewall config



An NFS server has various daemons listening on various ports:

- kernel listens for nfs protocol on port 2049
- rpcbind(8) listens for portmapper protocol on port 111
- rpcbind(8) also listens for rpcbind protocol on a dynamically chosen
  port
- mountd(8) listens for mount protocol on a port that can be chosen
  with `-p', or on a port dynamically chosen by rpcbind(8)
- rpc.lockd, statd, quotad all use dynamically chosen ports

How does one configure a firewall to limit this traffic, e.g. to allow
NFS traffic only from one network interface and not others?

One can restrict ports 2049 and 111, and set a fixed port number for
mountd, but even if one don't run lockd/statd/quotad there's still the
dynamic rpcbind port.

I think all of these daemons should maybe have a `-p <port>' option
like mountd(8) so an admin can predetermine the port numbers and bake
them into npf.conf.  And maybe there should be a way to disable new
registrations in rpcbind(8) and use only a set of saved ones.

Am I missing any existing way to do this?


I filed PR 58175 to track this -- either to add the functionality, or
to update the documentation to refer to it if it already exists:

https://gnats.netbsd.org/58175


Home | Main Index | Thread Index | Old Index