Firewalling NFS
Jeremie Le Hen
jeremie at le-hen.org
Sat Jun 16 20:10:15 UTC 2007
Hi Alfred,
On Fri, Jun 15, 2007 at 10:40:05PM -0700, Alfred Perlstein wrote:
> * Jeremie Le Hen <jeremie at le-hen.org> [070615 01:07] wrote:
> > Hi,
> >
> > It appears nearly impossible to firewall a NFS server on FreeBSD.
>
> I would be nearly impossible if one didn't know much about NFS.
It is surely my case.
> Care to rephrase your assertion?
The new assertion is then:
I don't know how to firewall my NFS server which is running FreeBSD 6.2.
> > The reason is that NFS related daemons use RPC, which means they
> > don't bind to a deterministic port. Only mountd(8) can be requested to
> > bind to a specific port or fail with the -p command-line switch.
> > Is there any reason other than "no one has needed this yet" why this
> > option is not available for nfsd(8), rpc.lockd(8) and rpc.statd(8)?
>
> this is wrong, wrong and more wrong.
Sorry, I checked RELENG_6. I've been told that rpc.lockd(8) and
rpc.statd(8) now have the "-p" option in -CURRENT. It seems that
nfsd(8)'s port number is assigned in recorded in services(5).
Therefore my question will be totally pointless once rpc.lockd(8)
and rpc.statd(8) "-p" option will be MFC'd to RELENG_6.
Sorry for the noise guys. Thank you for your replies though.
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list