any is vfs.nfsrv.nfs_privport=0 by default
John Baldwin
jhb at freebsd.org
Tue Mar 1 14:49:42 UTC 2011
On Monday, February 28, 2011 10:48:32 am Brooks Davis wrote:
> vfs.nfsrv.nfs_privport controls wither or not NFS enforces the
> traditional RPC semantics that require that requests come from
> "privileged" ports. By default this check is disabled. Hardening
> guides typically suggest this be enabled, usually via the rc.conf knob
> nfs_reserved_port_only=YES.
>
> I'm trying to find a good reason why the default is the way it is.
> Digging around in the source tree it appears that the rc.conf setting
> has been that way since either /etc/rc.conf or /etc/defaults/rc.conf has
> been in the tree.
>
> I do not consider the fact that the security provided is weak at best to
> be a good reason to disable it. I suspect support for PC-NFS or
> something like that may be the reason, but if that's the case it really
> doesn't make any sense.
I think it should default to on, and that the nfs_reserved_port_only setting
should just be removed. Instead, folks who want to turn this off can pass
'-n' to mountd, for which there are already other rc.conf flags such as
mountd_weak_authentication, etc.
Maybe you leave the nfs_reserved_port_only option and have it toggle the -n
option to mountd? Whatever the outcome, I think we need to collapse the
multiple rc.conf variables (mountd_weak_authentication and
nfs_reserved_port_only) down to 1 variable and have the kernel default to
requiring a privileged port.
--
John Baldwin
More information about the freebsd-net
mailing list