From owner-freebsd-net@FreeBSD.ORG  Fri Jun 15 17:47:12 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C3E0C16A400
	for <freebsd-net@FreeBSD.org>; Fri, 15 Jun 2007 17:47:12 +0000 (UTC)
	(envelope-from bms@incunabulum.net)
Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com
	[66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id 9EF8613C457
	for <freebsd-net@FreeBSD.org>; Fri, 15 Jun 2007 17:47:12 +0000 (UTC)
	(envelope-from bms@incunabulum.net)
Received: from compute1.internal (compute1.internal [10.202.2.41])
	by out1.messagingengine.com (Postfix) with ESMTP id 3F230E0C;
	Fri, 15 Jun 2007 13:47:12 -0400 (EDT)
Received: from heartbeat1.messagingengine.com ([10.202.2.160])
	by compute1.internal (MEProxy); Fri, 15 Jun 2007 13:47:12 -0400
X-Sasl-enc: YcM8odFVdT7onGzbMgKf75NTRwbhm6OH46MVWOIeOWP9 1181929631
Received: from [192.168.123.18]
	(82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254])
	by mail.messagingengine.com (Postfix) with ESMTP id 88C0778A;
	Fri, 15 Jun 2007 13:47:11 -0400 (EDT)
Message-ID: <4672D09B.9030100@incunabulum.net>
Date: Fri, 15 Jun 2007 18:47:07 +0100
From: "Bruce M. Simpson" <bms@incunabulum.net>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
References: <20070615072734.GC8093@obiwan.tataz.chchile.org>
	<20070615105950.GH3779@void.codelabs.ru>
In-Reply-To: <20070615105950.GH3779@void.codelabs.ru>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@FreeBSD.org, Jeremie Le Hen <jeremie@le-hen.org>
Subject: Re: Firewalling NFS
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2007 17:47:12 -0000

Eygene Ryabinkin wrote:
> NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd
> and statd have '-p' options:
> -----
> $ man rpc.lockd rpc.statd | grep -- -p
>      rpc.lockd [-d debug_level] [-g grace period] [-p port]
>      -p      The -p option allow to force the daemon to bind to the specified
>      rpc.statd [-d] [-p port]
>      -p      The -p option allow to force the daemon to bind to the specified
> -----
> Are we talking about same entities?
>   

I added the -p switch to mountd(8) a few years ago, as I needed to run a 
read-only NFS server exposed to the outside world; to firewall it I 
needed a deterministic RPC port number, which is what -p gives you. 
Otherwise you have to rely on the TCP wrapper support built into 
rpcbind(8). The rpc.lockd and rpc.statd daemons were recently changed to 
incorporate this switch too, although I don't think it has been 
backported to the 6-STABLE branch yet.

Regards,
BMS