From owner-freebsd-questions@freebsd.org  Tue Aug  4 20:43:15 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6AA9137F024
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Tue,  4 Aug 2020 20:43:15 +0000 (UTC) (envelope-from mail@dbalan.in)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com
 [64.147.123.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BLmtB016rz3br6
 for <freebsd-questions@freebsd.org>; Tue,  4 Aug 2020 20:43:13 +0000 (UTC)
 (envelope-from mail@dbalan.in)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.west.internal (Postfix) with ESMTP id F3641882
 for <freebsd-questions@freebsd.org>; Tue,  4 Aug 2020 16:43:11 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute1.internal (MEProxy); Tue, 04 Aug 2020 16:43:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dbalan.in; h=to
 :from:subject:message-id:date:mime-version:content-type
 :content-transfer-encoding; s=fm2; bh=9oTIOL0qpekZ1A7/i81agugnyX
 h7CUVXCcYY+lMrM+U=; b=U7klq/0MPzlnIo8Tef8rYOlzK2z7rtzpXtUqg91ain
 hkJn0rHiWzIbbnJD9Dmi7kbqnld6Nxo6ivBxfr/b1fMzhgx+Hv2LtAei4waW7oB7
 ANol+STe+wYco7O55/+6AxQEJMGH0m2g0vuR1iiRZO5T8RSsGnw5nKwDC3wR7lBz
 0w7jOBUwbYpdOHNq5T2nNQhMLaFDjuA5ShujG3LsFgMh+5PFYLGVCSLFyj844XwS
 IH1EQzXeI09mTUK4VODUJQNW4Y5bvu9KSbNUh0YJdY1GtI0AygBgW1Nre3/DxTPx
 nX3lLcd0oFcN5jzR5kwLxs+tMstXH+m1P2Ao/yo5whcA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:message-id:mime-version:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=9oTIOL
 0qpekZ1A7/i81agugnyXh7CUVXCcYY+lMrM+U=; b=F9K1ULh+Vq/nv/pqg6pNpv
 zDyKnN2R4K5aEKXs8sW8Zbk8RSaWgGYI/aStqqSIDY9ck6cuUzIZCd9NPTwY30Mx
 sRL2FyaC7ulf9g81RQAoKqdmpwZgCWHbEQLMaYZeGb4PgppgZ09kJuucm3jSsJX9
 yTxjr27ZaJ/VSbxR7swEDDYdv44xaWTptLs72ArHYsbzdM9nQN84EeNkrJw+GsVa
 wRPfPmhWElGSOYee/rGdClTpU0G9k/zFS86FqaxyZEFTNrEIbbDoTnf11W4eZ+XY
 yksFk5AoO3p0CRniKXAbxTAhHA5zy+8sy8kqrUsnBVMB242OMwny3lEtwzH4LhRA
 ==
X-ME-Sender: <xms:X8gpX1RRAHws8DUQLrVAveA6UIYso300gzvfjrX0iUFmw_1aUXqIzg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrjeeigdduheegucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefvhffukffffgggtgfgsehtjeertd
 dtfeejnecuhfhrohhmpeffhhgrnhgrnhhjrgihuceurghlrghnuceomhgrihhlsegusggr
 lhgrnhdrihhnqeenucggtffrrghtthgvrhhnpeejhedujeehkeeuieegtdeljedtjeeike
 dvteevffejkedvtefhhffhheetffeiheenucffohhmrghinhepfhhrvggvsghsugdrohhr
 ghenucfkphepledurdeihedrvdehuddrheehnecuvehluhhsthgvrhfuihiivgeptdenuc
 frrghrrghmpehmrghilhhfrhhomhepmhgrihhlsegusggrlhgrnhdrihhn
X-ME-Proxy: <xmx:X8gpX-w0mi6QjGzXL7kTjaIX6uNjolRyG6BF03oxgNDj0eggN-vynA>
 <xmx:X8gpX63oJMwx6XNKeBmabaE7swvnC00EBb_SyhXXiLK1C-SzSr-pfA>
 <xmx:X8gpX9DrId9J1FfWUFfkGqis2yUK81-T-ulqK6cFrRv-GyV6L_j0Og>
 <xmx:X8gpX5SDr6oNdz1V9inMEwRNTvc-LPFsz38MaMFKIV4wenCnRASm8Q>
Received: from [192.168.0.171] (ip5b41fb37.dynamic.kabel-deutschland.de
 [91.65.251.55])
 by mail.messagingengine.com (Postfix) with ESMTPA id 206DC30600B1
 for <freebsd-questions@freebsd.org>; Tue,  4 Aug 2020 16:43:11 -0400 (EDT)
To: FreeBSD <freebsd-questions@freebsd.org>
From: Dhananjay Balan <mail@dbalan.in>
Subject: How to secure NFS?
Message-ID: <c0df963f-0d89-a960-a73d-42b329df90c6@dbalan.in>
Date: Tue, 4 Aug 2020 22:43:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.9.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4BLmtB016rz3br6
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=dbalan.in header.s=fm2 header.b=U7klq/0M;
 dkim=pass header.d=messagingengine.com header.s=fm3 header.b=F9K1ULh+;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of mail@dbalan.in designates 64.147.123.24
 as permitted sender) smtp.mailfrom=mail@dbalan.in
X-Spamd-Result: default: False [-2.48 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 RWL_MAILSPIKE_VERYGOOD(0.00)[64.147.123.24:from];
 R_DKIM_ALLOW(-0.20)[dbalan.in:s=fm2,messagingengine.com:s=fm3];
 RECEIVED_SPAMHAUS_PBL(0.00)[91.65.251.55:received];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:64.147.123.24];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-0.99)[-0.990]; RCVD_COUNT_THREE(0.00)[4];
 DMARC_NA(0.00)[dbalan.in]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[dbalan.in:+,messagingengine.com:+];
 NEURAL_HAM_SHORT(-0.90)[-0.897];
 NEURAL_HAM_MEDIUM(-0.99)[-0.993]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US];
 SUBJECT_ENDS_QUESTION(1.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.24:from]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 20:43:15 -0000

Hi,

I am trying to run an NFS server following 
https://www.freebsd.org/doc/handbook/network-nfs.html (on 12.1-RELEASE-p6).

It doesn't touch at all about securing this server, is there any such 
documentation?

Also my pf never sees any of these packets. I have block in all on the 
file with explicit pass in rules and this just works :/ How is it 
completely by-passing my firewall?

Regards,
Dhananjay Balan