From owner-freebsd-questions@FreeBSD.ORG  Wed Jan 26 01:09:56 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 401E116A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Jan 2005 01:09:56 +0000 (GMT)
Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B655B43D39
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Jan 2005 01:09:55 +0000 (GMT)
	(envelope-from cpghost@cordula.ws)
Received: from [192.168.254.11] (unknown [192.168.254.11])
	by fw.farid-hajji.net (Postfix) with ESMTP id 468E04AF3E;
	Wed, 26 Jan 2005 02:05:08 +0100 (CET)
Message-ID: <41F75F76.5030900@cordula.ws>
Date: Wed, 26 Jan 2005 10:14:30 +0100
From: cpghost <cpghost@cordula.ws>
User-Agent: Mozilla Thunderbird 1.0 (X11/20050122)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Chuck Swiger <cswiger@mac.com>
References: <41F640BA.2040707@cordula.ws> <41F6B3AA.8060608@mac.com>
In-Reply-To: <41F6B3AA.8060608@mac.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: Restricting NFS daemons
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2005 01:09:56 -0000

Chuck Swiger wrote:

> cpghost wrote:
>
>> how can one configure NFS daemons (esp. mountd and rpcbind) so that 
>> they listen only on one IP address (e.g. on 192.168.1.1)?
>
>
> While some of the daemons are growing flags to bind only to specified 
> addresses, it turns out to be unwise to depend on that capability 
> alone to protect a fileserver.  If you want to do NFS securely, you 
> need to protect the network by using a firewall which prevents 
> source-routing and address spoofing of internal hosts.
>
I know this is the default action in most scenarios.

However, in this very special case, using a packet filter is not an option.

The host is multi-homed, so a lot of address spoofing and source routing
tricks are not that easy anyway (though certainly not impossible, due to
the intricacies of NAT).

It would be nice if at least rpcbind honored its -h flag and mountd grew its
own flag to bind(2) to specific addresses. It's perhaps just a few lines 
of code;
I'll have to dive into that socket API though... :).

Thanks,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/