From owner-freebsd-net@FreeBSD.ORG  Tue Mar  1 23:28:07 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5E6D8106564A;
	Tue,  1 Mar 2011 23:28:07 +0000 (UTC)
	(envelope-from rmacklem@uoguelph.ca)
Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca
	[131.104.91.44])
	by mx1.freebsd.org (Postfix) with ESMTP id 03D848FC1B;
	Tue,  1 Mar 2011 23:28:06 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApwEAIsIbU2DaFvO/2dsb2JhbACEKKMerRSQeYEng0R2BIUShw2FXQ
X-IronPort-AV: E=Sophos;i="4.62,249,1297054800"; d="scan'208";a="112676762"
Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca)
	([131.104.91.206])
	by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 01 Mar 2011 17:59:05 -0500
Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1])
	by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 1AAD0B3F64;
	Tue,  1 Mar 2011 17:59:05 -0500 (EST)
Date: Tue, 1 Mar 2011 17:59:05 -0500 (EST)
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Brooks Davis <brooks@freebsd.org>
Message-ID: <297419299.601659.1299020345042.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <20110228154831.GC41129@lor.one-eyed-alien.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.17.91.203]
X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - IE8 (Win)/6.0.10_GA_2692)
Cc: net@freebsd.org
Subject: Re: any is vfs.nfsrv.nfs_privport=0 by default
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2011 23:28:07 -0000

> vfs.nfsrv.nfs_privport controls wither or not NFS enforces the
> traditional RPC semantics that require that requests come from
> "privileged" ports. By default this check is disabled. Hardening
> guides typically suggest this be enabled, usually via the rc.conf knob
> nfs_reserved_port_only=YES.
> 
> I'm trying to find a good reason why the default is the way it is.
> Digging around in the source tree it appears that the rc.conf setting
> has been that way since either /etc/rc.conf or /etc/defaults/rc.conf
> has
> been in the tree.
> 
> I do not consider the fact that the security provided is weak at best
> to
> be a good reason to disable it. I suspect support for PC-NFS or
> something like that may be the reason, but if that's the case it
> really
> doesn't make any sense.
> 
Two comments:
1 - RFC3530 (NFSv4) specifically states that reserved port #s cannot be
    required.
    --> If you change the defaults, it will be different for NFSv4 than
        NFSv2,3. Not incorrect, but a little weird.
2 - It was probably disabled by default so that clients wouldn't run out
    of reserved ports when doing lotsa mounts.

But, I don't care what the default is for NFSv2,3, rick