any is vfs.nfsrv.nfs_privport=0 by default
Brooks Davis
brooks at freebsd.org
Mon Feb 28 23:19:39 UTC 2011
vfs.nfsrv.nfs_privport controls wither or not NFS enforces the
traditional RPC semantics that require that requests come from
"privileged" ports. By default this check is disabled. Hardening
guides typically suggest this be enabled, usually via the rc.conf knob
nfs_reserved_port_only=YES.
I'm trying to find a good reason why the default is the way it is.
Digging around in the source tree it appears that the rc.conf setting
has been that way since either /etc/rc.conf or /etc/defaults/rc.conf has
been in the tree.
I do not consider the fact that the security provided is weak at best to
be a good reason to disable it. I suspect support for PC-NFS or
something like that may be the reason, but if that's the case it really
doesn't make any sense.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20110228/678cb87c/attachment.pgp
More information about the freebsd-net
mailing list