From owner-freebsd-net@FreeBSD.ORG Mon Feb 28 23:19:39 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24EE41065670 for ; Mon, 28 Feb 2011 23:19:39 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id 5C86C8FC0C for ; Mon, 28 Feb 2011 23:19:38 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.4/8.14.4) with ESMTP id p1SFmWKG048300 for ; Mon, 28 Feb 2011 09:48:32 -0600 (CST) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.4/8.14.4/Submit) id p1SFmWw7048299 for net@freebsd.org; Mon, 28 Feb 2011 09:48:32 -0600 (CST) (envelope-from brooks) Date: Mon, 28 Feb 2011 09:48:32 -0600 From: Brooks Davis To: net@freebsd.org Message-ID: <20110228154831.GC41129@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4ZLFUWh1odzi/v6L" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (lor.one-eyed-alien.net [127.0.0.1]); Mon, 28 Feb 2011 09:48:33 -0600 (CST) Cc: Subject: any is vfs.nfsrv.nfs_privport=0 by default X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 23:19:39 -0000 --4ZLFUWh1odzi/v6L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline vfs.nfsrv.nfs_privport controls wither or not NFS enforces the traditional RPC semantics that require that requests come from "privileged" ports. By default this check is disabled. Hardening guides typically suggest this be enabled, usually via the rc.conf knob nfs_reserved_port_only=YES. I'm trying to find a good reason why the default is the way it is. Digging around in the source tree it appears that the rc.conf setting has been that way since either /etc/rc.conf or /etc/defaults/rc.conf has been in the tree. I do not consider the fact that the security provided is weak at best to be a good reason to disable it. I suspect support for PC-NFS or something like that may be the reason, but if that's the case it really doesn't make any sense. -- Brooks --4ZLFUWh1odzi/v6L Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFNa8POXY6L6fI4GtQRAkmjAJ0Wa6jwdJQNuJ5Yj8F8H/fEwSKKgQCeOcWv xu+4YoAsZhaTKlHl718Z1Vc= =inYs -----END PGP SIGNATURE----- --4ZLFUWh1odzi/v6L--