From owner-freebsd-questions  Thu Dec 19 16:57:49 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1665437B405
	for <questions@freebsd.org>; Thu, 19 Dec 2002 16:57:48 -0800 (PST)
Received: from mail.au.darkbluesea.com (mail.au.darkbluesea.com [203.185.208.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 80B3243EE8
	for <questions@freebsd.org>; Thu, 19 Dec 2002 16:57:46 -0800 (PST)
	(envelope-from d.anker@au.darkbluesea.com)
Received: (qmail 23903 invoked by uid 82); 20 Dec 2002 00:54:28 -0000
Received: from unknown (HELO ?10.0.0.188?) (10.0.0.188)
  by mail.au.darkbluesea.com with SMTP; 20 Dec 2002 00:54:28 -0000
Subject: Re: NFS Reserved Port Only?
From: Duncan Anker <d.anker@au.darkbluesea.com>
To: Ryan Sommers <ryans@gamersimpact.com>
Cc: questions@freebsd.org
In-Reply-To: <1040320787.373.30.camel@lobo>
References: <1040320787.373.30.camel@lobo>
Content-Type: text/plain
Organization: Dark Blue Sea
Message-Id: <1040345864.6584.28.camel@duncan.au.darkbluesea.com>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.0 
Date: 20 Dec 2002 10:57:44 +1000
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, 2002-12-20 at 03:59, Ryan Sommers wrote:
> Does nfs_reserved_port_only really make NFS that much more secure? Or is
> this more of a depricated option.

Doesn't really help. It's slightly more secure in an environment where
you don't fully trust your users, but all it does is require the
connection to come from a privileged port. Since any script kiddie can
stick a Linux or *BSD box on the net with root access, it really doesn't
help secure against the sort of attacks you'd want to secure against.

I have found this option is nothing more than annoying (my NFS monitor
won't use a privileged port, for example) so I leave it off.

As far as the rest of your NFS privilege problems go, you may need to
mount the filesystem with TCP. I'm not sure how NFS works with NAT, but
I had some issues with this. Alternatively, if you have multiple IP
addresses on one itnerface, you need to explicitly tell nfsd which ones
to bind to, as wildcarding doesn't work with UDP.

HTH
Duncan Anker



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message