From owner-freebsd-net@FreeBSD.ORG  Fri Jun 15 08:01:45 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A8B6516A400
	for <freebsd-net@FreeBSD.org>; Fri, 15 Jun 2007 08:01:45 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from postfix2-g20.free.fr (postfix2-g20.free.fr [212.27.60.43])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D49813C44C
	for <freebsd-net@FreeBSD.org>; Fri, 15 Jun 2007 08:01:45 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35])
	by postfix2-g20.free.fr (Postfix) with ESMTP id 8D2C9131F6D7
	for <freebsd-net@FreeBSD.org>; Fri, 15 Jun 2007 08:28:27 +0200 (CEST)
Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98])
	by smtp5-g19.free.fr (Postfix) with ESMTP id 5384244CA9
	for <freebsd-net@FreeBSD.org>; Fri, 15 Jun 2007 09:27:51 +0200 (CEST)
Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25])
	by tatooine.tataz.chchile.org (Postfix) with ESMTP id 339319B497
	for <freebsd-net@FreeBSD.org>; Fri, 15 Jun 2007 07:27:35 +0000 (UTC)
Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000)
	id 11ACA405B; Fri, 15 Jun 2007 09:27:35 +0200 (CEST)
Date: Fri, 15 Jun 2007 09:27:35 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: freebsd-net@FreeBSD.org
Message-ID: <20070615072734.GC8093@obiwan.tataz.chchile.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.15 (2007-04-06)
Cc: 
Subject: Firewalling NFS
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2007 08:01:45 -0000

Hi,

It appears nearly impossible to firewall a NFS server on FreeBSD.
The reason is that NFS related daemons use RPC, which means they
don't bind to a deterministic port.  Only mountd(8) can be requested to
bind to a specific port or fail with the -p command-line switch.
Is there any reason other than "no one has needed this yet" why this
option is not available for nfsd(8), rpc.lockd(8) and rpc.statd(8)?

Best regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >