From owner-freebsd-net@FreeBSD.ORG Fri Jun 15 10:59:56 2007 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8CF316A469 for ; Fri, 15 Jun 2007 10:59:56 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 7F2ED13C447 for ; Fri, 15 Jun 2007 10:59:56 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=SwRzQTA5GM4xrSLnUw80fqITKLpNMwB8VIdNR0R0jgjeCQ4llen6shG4jlBAeJpKi/HBgSpDNy8g807nVgrgo47abPNqsaA/TxU3sGG8LsZhjYWWPt2IrReRbNUUJ4xe22BYNNSz0s/lrCFwi+WY92ObHYOwQL8VISFv/HauaxI=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1Hz9X0-0004gL-KB; Fri, 15 Jun 2007 14:59:54 +0400 Date: Fri, 15 Jun 2007 14:59:50 +0400 From: Eygene Ryabinkin To: Jeremie Le Hen Message-ID: <20070615105950.GH3779@void.codelabs.ru> References: <20070615072734.GC8093@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070615072734.GC8093@obiwan.tataz.chchile.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_05 Cc: freebsd-net@FreeBSD.org Subject: Re: Firewalling NFS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 10:59:56 -0000 Jeremie, good day. Fri, Jun 15, 2007 at 09:27:35AM +0200, Jeremie Le Hen wrote: > It appears nearly impossible to firewall a NFS server on FreeBSD. > The reason is that NFS related daemons use RPC, which means they > don't bind to a deterministic port. Only mountd(8) can be requested to > bind to a specific port or fail with the -p command-line switch. > Is there any reason other than "no one has needed this yet" why this > option is not available for nfsd(8), rpc.lockd(8) and rpc.statd(8)? NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd and statd have '-p' options: ----- $ man rpc.lockd rpc.statd | grep -- -p rpc.lockd [-d debug_level] [-g grace period] [-p port] -p The -p option allow to force the daemon to bind to the specified rpc.statd [-d] [-p port] -p The -p option allow to force the daemon to bind to the specified ----- Are we talking about same entities? -- Eygene