Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Mar 2011 17:59:05 -0500 (EST)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Brooks Davis <brooks@freebsd.org>
Cc:        net@freebsd.org
Subject:   Re: any is vfs.nfsrv.nfs_privport=0 by default
Message-ID:  <297419299.601659.1299020345042.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <20110228154831.GC41129@lor.one-eyed-alien.net>

next in thread | previous in thread | raw e-mail | index | archive | help
> vfs.nfsrv.nfs_privport controls wither or not NFS enforces the
> traditional RPC semantics that require that requests come from
> "privileged" ports. By default this check is disabled. Hardening
> guides typically suggest this be enabled, usually via the rc.conf knob
> nfs_reserved_port_only=YES.
> 
> I'm trying to find a good reason why the default is the way it is.
> Digging around in the source tree it appears that the rc.conf setting
> has been that way since either /etc/rc.conf or /etc/defaults/rc.conf
> has
> been in the tree.
> 
> I do not consider the fact that the security provided is weak at best
> to
> be a good reason to disable it. I suspect support for PC-NFS or
> something like that may be the reason, but if that's the case it
> really
> doesn't make any sense.
> 
Two comments:
1 - RFC3530 (NFSv4) specifically states that reserved port #s cannot be
    required.
    --> If you change the defaults, it will be different for NFSv4 than
        NFSv2,3. Not incorrect, but a little weird.
2 - It was probably disabled by default so that clients wouldn't run out
    of reserved ports when doing lotsa mounts.

But, I don't care what the default is for NFSv2,3, rick



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?297419299.601659.1299020345042.JavaMail.root>