Firewalling NFS
Bruce M. Simpson
bms at incunabulum.net
Fri Jun 15 17:47:12 UTC 2007
Eygene Ryabinkin wrote:
> NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd
> and statd have '-p' options:
> -----
> $ man rpc.lockd rpc.statd | grep -- -p
> rpc.lockd [-d debug_level] [-g grace period] [-p port]
> -p The -p option allow to force the daemon to bind to the specified
> rpc.statd [-d] [-p port]
> -p The -p option allow to force the daemon to bind to the specified
> -----
> Are we talking about same entities?
>
I added the -p switch to mountd(8) a few years ago, as I needed to run a
read-only NFS server exposed to the outside world; to firewall it I
needed a deterministic RPC port number, which is what -p gives you.
Otherwise you have to rely on the TCP wrapper support built into
rpcbind(8). The rpc.lockd and rpc.statd daemons were recently changed to
incorporate this switch too, although I don't think it has been
backported to the 6-STABLE branch yet.
Regards,
BMS
More information about the freebsd-net
mailing list