Date: Tue, 18 Dec 2018 15:54:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 234106] nfsv4 server ignores nfs_reserved_port_only="YES" Message-ID: <bug-234106-227-824Zk8ilc9@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-234106-227@https.bugs.freebsd.org/bugzilla/> References: <bug-234106-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234106 --- Comment #4 from chaz.newton58@gmail.com --- Hi Rick! Thanks for the info. I agree with you and the fathers/mothers of NFSv4! T= he reserved port requirement does NOT make it more secure. However... The inconsistency between the behavior of Linux (and apparently Solaris/Illumos) NFSv4 servers and FreeBSD NFSv4 servers is not expected.=20 Would it be possible to implement a "--security-blanket-for-chaz" argument = that would utilize the reserved port sysctl, similarly to the NFSv3 service on FreeBSD? I do have a use case for this though it could also be accomplished using the Kerberos configuration or switching back to NFSv3. The qemu vms that our u= sers would like to use are behind an IPTables NAT or user mode networking. The source port is re-written so that it is greater than 1023, so mounting an export with that sysctl set is not possible with NFSv3 - but is still possi= ble with the NFSv4 export. Obviously this is only a single security concern in a sea of them, and I definitely do not consider this to be an all-encompassing measure. In summary - would it be possible to make the FreeBSD NFSv4 server behave l= ike the Linux and Solaris/Illumos server? (disclaimer: I haven't tested Solaris/Illumos's behavior) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-234106-227-824Zk8ilc9>