From owner-freebsd-stable@FreeBSD.ORG Sun Feb 20 01:48:28 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6358F106566C for ; Sun, 20 Feb 2011 01:48:28 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout021.mac.com (asmtpout021.mac.com [17.148.16.96]) by mx1.freebsd.org (Postfix) with ESMTP id 48D498FC0A for ; Sun, 20 Feb 2011 01:48:28 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from [17.151.73.245] by asmtp021.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LGW000A24V8QFC0@asmtp021.mac.com> for freebsd-stable@freebsd.org; Sat, 19 Feb 2011 16:47:42 -0800 (PST) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.2.15,1.0.148,0.0.0000 definitions=2011-02-19_03:2011-02-19, 2011-02-19, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1102190130 From: Chuck Swiger In-reply-to: <931979672.138955.1298150177898.JavaMail.root@erie.cs.uoguelph.ca> Date: Sat, 19 Feb 2011 16:47:32 -0800 Message-id: <8AB6976A-610D-46B1-BAE8-2BBDC70BBAE6@mac.com> References: <931979672.138955.1298150177898.JavaMail.root@erie.cs.uoguelph.ca> To: Rick Macklem X-Mailer: Apple Mail (2.1082) Cc: freebsd-stable@freebsd.org Subject: Re: statd/lockd startup failure X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2011 01:48:28 -0000 Hi-- On Feb 19, 2011, at 1:16 PM, Rick Macklem wrote: > Well, that was what I was proposing. I could be wrong, but as far as I > know, this is allowed by Sun RPC. The port#s are assigned dynamically and > registered with rpcbind. (I don't necessarily agree with the design, but > this was/is how Sun RPC does it. The philosophy was/is that apps. don't know > what port# is being used and shouldn't care. If sysadmins want to use a > fixed port#, they can use command line options to override the default > dynamic assignment. And, yes, this is one reason that Sun RPC is a pita > w.r.t. firewalls. 1980s design...) Trying to force SunRPC and old NFS through fixed ports in order to pass through a firewall sounds like a lot more work, and weakens the security of a firewall to such a significant extent that I have to wonder if it is the right problem to solve. :-) Why not setup a VPN via OpenVPN/IPSec/ssh+ppp/etc...? Regards, -- -Chuck