From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 12 06:19:35 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 05CA716A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Apr 2005 06:19:35 +0000 (GMT)
Received: from szamoca.krvarr.bc.ca (szamoca.krvarr.bc.ca [142.179.111.232])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B1D3A43D1F
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Apr 2005 06:19:34 +0000 (GMT)
	(envelope-from sandy@krvarr.bc.ca)
Received: from szamoca.krvarr.bc.ca (localhost [127.0.0.1])
	by szamoca.krvarr.bc.ca (8.13.1/8.12.11) with ESMTP id j3C6JR8V020303;
	Mon, 11 Apr 2005 23:19:27 -0700 (PDT)
	(envelope-from sandy@szamoca.krvarr.bc.ca)
Received: (from sandy@localhost)
	by szamoca.krvarr.bc.ca (8.13.1/8.12.11/Submit) id j3C6JLZN020300;
	Mon, 11 Apr 2005 23:19:21 -0700 (PDT)
	(envelope-from sandy)
From: Sandy Rutherford <sandy@krvarr.bc.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <16987.26723.321229.93726@szamoca.krvarr.bc.ca>
Date: Mon, 11 Apr 2005 23:19:15 -0700
To: norgaard@locolomo.org
In-Reply-To: <424FCDD3.6040507@locolomo.org>
References: <424F8B94.7050006@atopia.net>
	<424FCDD3.6040507@locolomo.org>
X-Mailer: VM 7.07 under Emacs 21.3.1
X-krvarr.bc.ca-MailScanner-Information: Please contact postmaster@krvarr.bc.ca
	for more information.
X-krvarr.bc.ca-MailScanner: Not scanned: please contact
	postmaster@krvarr.bc.ca for details.
X-krvarr.bc.ca-MailScanner-From: sandy@szamoca.krvarr.bc.ca
cc: Matt Juszczak <matt@atopia.net>
cc: freebsd-questions@freebsd.org
Subject: Re: IPFILTER and NFS
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2005 06:19:35 -0000

>>>>> On Sun, 03 Apr 2005 13:04:51 +0200,=20
>>>>> Erik N=F8rgaard <norgaard@locolomo.org> said:

 > This limits the number of ports relevant to 59, 111 and 2049. You ca=
n't=20
 > force lockd and statd to bind to specific ports (they are alos RPC=20=

 > services) and AFAIK you can't have disk quotas work correctly becaus=
e of=20
 > this.

 > AFAIK NFS4 should address these problems, but the NFS4 server is sti=
ll=20
 > experimental.

 > Till then, RPC is a security nightmare.

Indeed it is.  It's not as good as firewall protection; however,
tcp_wrappers can be used to beef up RPC security somewhat.  See
/etc/hosts.allow.

Sandy