Date: Tue, 18 Dec 2018 15:54:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 234106] nfsv4 server ignores nfs_reserved_port_only="YES" Message-ID: <bug-234106-227-824Zk8ilc9@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-234106-227@https.bugs.freebsd.org/bugzilla/> References: <bug-234106-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234106 --- Comment #4 from chaz.newton58@gmail.com --- Hi Rick! Thanks for the info. I agree with you and the fathers/mothers of NFSv4! The reserved port requirement does NOT make it more secure. However... The inconsistency between the behavior of Linux (and apparently Solaris/Illumos) NFSv4 servers and FreeBSD NFSv4 servers is not expected. Would it be possible to implement a "--security-blanket-for-chaz" argument that would utilize the reserved port sysctl, similarly to the NFSv3 service on FreeBSD? I do have a use case for this though it could also be accomplished using the Kerberos configuration or switching back to NFSv3. The qemu vms that our users would like to use are behind an IPTables NAT or user mode networking. The source port is re-written so that it is greater than 1023, so mounting an export with that sysctl set is not possible with NFSv3 - but is still possible with the NFSv4 export. Obviously this is only a single security concern in a sea of them, and I definitely do not consider this to be an all-encompassing measure. In summary - would it be possible to make the FreeBSD NFSv4 server behave like the Linux and Solaris/Illumos server? (disclaimer: I haven't tested Solaris/Illumos's behavior) -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-234106-227-824Zk8ilc9>