Date: Sat, 16 Jun 2007 22:09:56 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Alfred Perlstein <alfred@freebsd.org> Cc: freebsd-net@FreeBSD.org Subject: Re: Firewalling NFS Message-ID: <20070616200956.GA63387@obiwan.tataz.chchile.org> In-Reply-To: <20070616054005.GU96936@elvis.mu.org> References: <20070615072734.GC8093@obiwan.tataz.chchile.org> <20070616054005.GU96936@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Alfred, On Fri, Jun 15, 2007 at 10:40:05PM -0700, Alfred Perlstein wrote: > * Jeremie Le Hen <jeremie@le-hen.org> [070615 01:07] wrote: > > Hi, > > > > It appears nearly impossible to firewall a NFS server on FreeBSD. > > I would be nearly impossible if one didn't know much about NFS. It is surely my case. > Care to rephrase your assertion? The new assertion is then: I don't know how to firewall my NFS server which is running FreeBSD 6.2. > > The reason is that NFS related daemons use RPC, which means they > > don't bind to a deterministic port. Only mountd(8) can be requested to > > bind to a specific port or fail with the -p command-line switch. > > Is there any reason other than "no one has needed this yet" why this > > option is not available for nfsd(8), rpc.lockd(8) and rpc.statd(8)? > > this is wrong, wrong and more wrong. Sorry, I checked RELENG_6. I've been told that rpc.lockd(8) and rpc.statd(8) now have the "-p" option in -CURRENT. It seems that nfsd(8)'s port number is assigned in recorded in services(5). Therefore my question will be totally pointless once rpc.lockd(8) and rpc.statd(8) "-p" option will be MFC'd to RELENG_6. Sorry for the noise guys. Thank you for your replies though. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070616200956.GA63387>