From owner-freebsd-questions Thu Dec 19 17:14:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2F2E37B401 for ; Thu, 19 Dec 2002 17:14:10 -0800 (PST) Received: from mail.au.darkbluesea.com (mail.au.darkbluesea.com [203.185.208.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68D9643ED8 for ; Thu, 19 Dec 2002 17:14:09 -0800 (PST) (envelope-from d.anker@au.darkbluesea.com) Received: (qmail 45685 invoked by uid 82); 20 Dec 2002 01:11:02 -0000 Received: from unknown (HELO ?10.0.0.188?) (10.0.0.188) by bandit.au.darkbluesea.com with SMTP; 20 Dec 2002 01:11:02 -0000 Subject: [Fwd: Re: NFS Reserved Port Only?] From: Duncan Anker To: freebsd-questions@freebsd.org Content-Type: text/plain Organization: Dark Blue Sea Message-Id: <1040346858.6585.34.camel@duncan.au.darkbluesea.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 20 Dec 2002 11:14:18 +1000 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Probably intended for the list -----Forwarded Message----- > > For the purpose of answering my own question if someone is reading > through the old posts the unprivileged port because of NAT was solved by > adding the -n option to mountd. > > Although I find it kind of interesting that the documentation says this > clears the nfs_privport sysctl flag but you can't allow it by clearing > the flag yourself. I didn't find that flag - however I Found that clearing the sysctl flag did work. Odd. > > Ryan > > On Thu, 2002-12-19 at 18:57, Duncan Anker wrote: > > On Fri, 2002-12-20 at 03:59, Ryan Sommers wrote: > > > Does nfs_reserved_port_only really make NFS that much more secure? Or is > > > this more of a depricated option. > > > > Doesn't really help. It's slightly more secure in an environment where > > you don't fully trust your users, but all it does is require the > > connection to come from a privileged port. Since any script kiddie can > > stick a Linux or *BSD box on the net with root access, it really doesn't > > help secure against the sort of attacks you'd want to secure against. > > > > I have found this option is nothing more than annoying (my NFS monitor > > won't use a privileged port, for example) so I leave it off. > > > > As far as the rest of your NFS privilege problems go, you may need to > > mount the filesystem with TCP. I'm not sure how NFS works with NAT, but > > I had some issues with this. Alternatively, if you have multiple IP > > addresses on one itnerface, you need to explicitly tell nfsd which ones > > to bind to, as wildcarding doesn't work with UDP. > > > > HTH > > Duncan Anker > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message