From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 19 15:34:35 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 58A9E16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 19 Apr 2005 15:34:35 +0000 (GMT)
Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8AAC543D39
	for <freebsd-questions@freebsd.org>;
	Tue, 19 Apr 2005 15:34:34 +0000 (GMT)
	(envelope-from cpghost@cordula.ws)
Received: from epia2.farid-hajji.net (epia-2 [192.168.254.11])
	by fw.farid-hajji.net (Postfix) with ESMTP id D287D4BA8A;
	Tue, 19 Apr 2005 17:35:28 +0200 (CEST)
Date: Tue, 19 Apr 2005 17:35:56 +0200
From: cpghost@cordula.ws
To: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Message-ID: <20050419153556.GA60313@epia2.farid-hajji.net>
References: <if1ro5.icuujw@webmail.tuwien.ac.at>
	<44ekd8z0xb.fsf@be-well.ilk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44ekd8z0xb.fsf@be-well.ilk.org>
User-Agent: Mutt/1.5.6i
cc: FreeBSD mailinglist <freebsd-questions@freebsd.org>
cc: Florian Hengstberger <e0025265@student.tuwien.ac.at>
Subject: Re: which interface: mountd,rpcbind
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2005 15:34:35 -0000

On Mon, Apr 18, 2005 at 09:09:36AM -0400, Lowell Gilbert wrote:
> "Florian Hengstberger" <e0025265@student.tuwien.ac.at> writes:
> 
> > Hi!
> > I really worry about that it seems (man mountd, man rpcbind)
> > impossible to specifiy the interface these daemons bind to.

I've had exactly the same problem a while ago! The important thing
here, is that nfsd doesn't bind to INADDR_ANY. The other daemons
are still potentially vulnerable to other kinds of attacks though,
but it would be extremely difficult to inject NFS RPCs into this
system from an external interface.

I wished rpcbind and mountd (and rpc.lockd and rpc.statd!) could be
configured to listen on a specific interface. As long as that is not
implemented, you should really use pf or another packet filter on your
external interface, to protect NFS.

> You can't, as far as I can see.  Looks like it would be an afternoon's
> work to add it in, but I wouldn't think it's worth worrying about it.

Yes please, it would be really nice to have this in the source.
If I knew more sockets API, I would have already submitted a PR
for this, but I don't :(. It's just a matter of adding calls to bind(2)
at the right places.

> Since you bind to an address already, a packet filter firewall will
> protect you from access on the wrong interface.

Hmmm, rpcbind, mountd, rpc.lockd and rpc.statd bind to INADDR_ANY, not to
a specific interface. rpcbind has even a documented -h flag, that it
doesn't seem to respect fully. That's exactly the problem.

Regards,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/