NFS daemon port numbers for firewall config

To: tech-net%NetBSD.org@localhost
Subject: NFS daemon port numbers for firewall config
From: Taylor R Campbell <campbell+netbsd-tech-net%mumble.net@localhost>
Date: Fri, 19 Apr 2024 21:27:48 +0000

An NFS server has various daemons listening on various ports:

- kernel listens for nfs protocol on port 2049
- rpcbind(8) listens for portmapper protocol on port 111
- rpcbind(8) also listens for rpcbind protocol on a dynamically chosen
  port
- mountd(8) listens for mount protocol on a port that can be chosen
  with `-p', or on a port dynamically chosen by rpcbind(8)
- rpc.lockd, statd, quotad all use dynamically chosen ports

How does one configure a firewall to limit this traffic, e.g. to allow
NFS traffic only from one network interface and not others?

One can restrict ports 2049 and 111, and set a fixed port number for
mountd, but even if one don't run lockd/statd/quotad there's still the
dynamic rpcbind port.

I think all of these daemons should maybe have a `-p <port>' option
like mountd(8) so an admin can predetermine the port numbers and bake
them into npf.conf.  And maybe there should be a way to disable new
registrations in rpcbind(8) and use only a set of saved ones.

Am I missing any existing way to do this?


I filed PR 58175 to track this -- either to add the functionality, or
to update the documentation to refer to it if it already exists:

https://gnats.netbsd.org/58175

Follow-Ups:
- Re: NFS daemon port numbers for firewall config
  - From: Michael van Elst
- Re: NFS daemon port numbers for firewall config
  - From: Lloyd Parkes

Prev by Date: Re: MBuf leak in ether_output()
Next by Date: Re: NFS daemon port numbers for firewall config
Previous by Thread: MBuf leak in ether_output()
Next by Thread: Re: NFS daemon port numbers for firewall config
Indexes:

Home | Main Index | Thread Index | Old Index