From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 19 18:57:49 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 30DBE16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 19 Apr 2005 18:57:49 +0000 (GMT)
Received: from szamoca.krvarr.bc.ca (szamoca.krvarr.bc.ca [142.179.111.232])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C8DBE43D31
	for <freebsd-questions@freebsd.org>;
	Tue, 19 Apr 2005 18:57:48 +0000 (GMT)
	(envelope-from sandy@krvarr.bc.ca)
Received: from szamoca.krvarr.bc.ca (localhost [127.0.0.1])
	by szamoca.krvarr.bc.ca (8.13.1/8.12.11) with ESMTP id j3JIvL06012384;
	Tue, 19 Apr 2005 11:57:21 -0700 (PDT)
	(envelope-from sandy@szamoca.krvarr.bc.ca)
Received: (from sandy@localhost)
	by szamoca.krvarr.bc.ca (8.13.1/8.12.11/Submit) id j3JIvLdi012381;
	Tue, 19 Apr 2005 11:57:21 -0700 (PDT)
	(envelope-from sandy)
From: Sandy Rutherford <sandy@krvarr.bc.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16997.21649.545909.615696@szamoca.krvarr.bc.ca>
Date: Tue, 19 Apr 2005 11:57:21 -0700
To: FreeBSD mailinglist <freebsd-questions@freebsd.org>
In-Reply-To: <20050419153556.GA60313@epia2.farid-hajji.net>
References: <if1ro5.icuujw@webmail.tuwien.ac.at>
	<44ekd8z0xb.fsf@be-well.ilk.org>
	<20050419153556.GA60313@epia2.farid-hajji.net>
X-Mailer: VM 7.07 under Emacs 21.3.1
X-krvarr.bc.ca-MailScanner-Information: Please contact postmaster@krvarr.bc.ca
	for more information.
X-krvarr.bc.ca-MailScanner: Not scanned: please contact
	postmaster@krvarr.bc.ca for details.
X-krvarr.bc.ca-MailScanner-From: sandy@szamoca.krvarr.bc.ca
cc: cpghost@cordula.ws
cc: Florian Hengstberger <e0025265@student.tuwien.ac.at>
Subject: Re: which interface: mountd,rpcbind
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2005 18:57:49 -0000

>>>>> On Tue, 19 Apr 2005 17:35:56 +0200, 
>>>>> cpghost@cordula.ws said:

 > On Mon, Apr 18, 2005 at 09:09:36AM -0400, Lowell Gilbert wrote:
 >> "Florian Hengstberger" <e0025265@student.tuwien.ac.at> writes:
 >> 
 >> > Hi!
 >> > I really worry about that it seems (man mountd, man rpcbind)
 >> > impossible to specifiy the interface these daemons bind to.

 > I've had exactly the same problem a while ago! The important thing
 > here, is that nfsd doesn't bind to INADDR_ANY. The other daemons
 > are still potentially vulnerable to other kinds of attacks though,
 > but it would be extremely difficult to inject NFS RPCs into this
 > system from an external interface.

 > I wished rpcbind and mountd (and rpc.lockd and rpc.statd!) could be
 > configured to listen on a specific interface. As long as that is not
 > implemented, you should really use pf or another packet filter on your
 > external interface, to protect NFS.

In addition, tcpwrappers can be used to further protect NFS.

Sandy