From owner-freebsd-stable@FreeBSD.ORG Sun Feb 20 18:11:04 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD0F7106564A for ; Sun, 20 Feb 2011 18:11:04 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 6CF698FC15 for ; Sun, 20 Feb 2011 18:11:04 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApwEAAPoYE2DaFvO/2dsb2JhbACEIKMFqXePSYEng0F2BIUNhwY X-IronPort-AV: E=Sophos;i="4.62,195,1297054800"; d="scan'208";a="110489592" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu-pri.mail.uoguelph.ca with ESMTP; 20 Feb 2011 13:11:03 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id A3028B4031; Sun, 20 Feb 2011 13:11:03 -0500 (EST) Date: Sun, 20 Feb 2011 13:11:03 -0500 (EST) From: Rick Macklem To: Chuck Swiger Message-ID: <990201594.149705.1298225463594.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <8AB6976A-610D-46B1-BAE8-2BBDC70BBAE6@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - IE8 (Win)/6.0.10_GA_2692) Cc: freebsd-stable@freebsd.org Subject: Re: statd/lockd startup failure X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2011 18:11:04 -0000 > Hi-- > > On Feb 19, 2011, at 1:16 PM, Rick Macklem wrote: > > Well, that was what I was proposing. I could be wrong, but as far as > > I > > know, this is allowed by Sun RPC. The port#s are assigned > > dynamically and > > registered with rpcbind. (I don't necessarily agree with the design, > > but > > this was/is how Sun RPC does it. The philosophy was/is that apps. > > don't know > > what port# is being used and shouldn't care. If sysadmins want to > > use a > > fixed port#, they can use command line options to override the > > default > > dynamic assignment. And, yes, this is one reason that Sun RPC is a > > pita > > w.r.t. firewalls. 1980s design...) > > Trying to force SunRPC and old NFS through fixed ports in order to > pass through a firewall sounds like a lot more work, and weakens the > security of a firewall to such a significant extent that I have to > wonder if it is the right problem to solve. :-) > > Why not setup a VPN via OpenVPN/IPSec/ssh+ppp/etc...? > Well, the discussion was how to fix a problem where the dynamically assigned port# for one of (udp,tcp X ip6,ip4) wasn't available for the others. The test patch I posted allowed each of the four to select different port#s. The daemons already allow specification of a fixed port# (-p option) for anyone who wants a fixed port#. (And yes, I see not being able to run this stuff through a firewall a feature and not a bug.) rick