From owner-freebsd-net@FreeBSD.ORG Sat Jun 16 20:10:15 2007 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9007D16A469; Sat, 16 Jun 2007 20:10:15 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.freebsd.org (Postfix) with ESMTP id 2189713C46C; Sat, 16 Jun 2007 20:10:15 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id 5B80E44D06; Sat, 16 Jun 2007 22:10:14 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 091049B497; Sat, 16 Jun 2007 20:09:57 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id EC571405B; Sat, 16 Jun 2007 22:09:56 +0200 (CEST) Date: Sat, 16 Jun 2007 22:09:56 +0200 From: Jeremie Le Hen To: Alfred Perlstein Message-ID: <20070616200956.GA63387@obiwan.tataz.chchile.org> References: <20070615072734.GC8093@obiwan.tataz.chchile.org> <20070616054005.GU96936@elvis.mu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070616054005.GU96936@elvis.mu.org> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-net@FreeBSD.org Subject: Re: Firewalling NFS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 20:10:15 -0000 Hi Alfred, On Fri, Jun 15, 2007 at 10:40:05PM -0700, Alfred Perlstein wrote: > * Jeremie Le Hen [070615 01:07] wrote: > > Hi, > > > > It appears nearly impossible to firewall a NFS server on FreeBSD. > > I would be nearly impossible if one didn't know much about NFS. It is surely my case. > Care to rephrase your assertion? The new assertion is then: I don't know how to firewall my NFS server which is running FreeBSD 6.2. > > The reason is that NFS related daemons use RPC, which means they > > don't bind to a deterministic port. Only mountd(8) can be requested to > > bind to a specific port or fail with the -p command-line switch. > > Is there any reason other than "no one has needed this yet" why this > > option is not available for nfsd(8), rpc.lockd(8) and rpc.statd(8)? > > this is wrong, wrong and more wrong. Sorry, I checked RELENG_6. I've been told that rpc.lockd(8) and rpc.statd(8) now have the "-p" option in -CURRENT. It seems that nfsd(8)'s port number is assigned in recorded in services(5). Therefore my question will be totally pointless once rpc.lockd(8) and rpc.statd(8) "-p" option will be MFC'd to RELENG_6. Sorry for the noise guys. Thank you for your replies though. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >