[Bug 234106] nfsv4 server ignores nfs_reserved_port_only="YES"
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Dec 18 15:54:58 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234106
--- Comment #4 from chaz.newton58 at gmail.com ---
Hi Rick!
Thanks for the info. I agree with you and the fathers/mothers of NFSv4! The
reserved port requirement does NOT make it more secure.
However...
The inconsistency between the behavior of Linux (and apparently
Solaris/Illumos) NFSv4 servers and FreeBSD NFSv4 servers is not expected.
Would it be possible to implement a "--security-blanket-for-chaz" argument that
would utilize the reserved port sysctl, similarly to the NFSv3 service on
FreeBSD?
I do have a use case for this though it could also be accomplished using the
Kerberos configuration or switching back to NFSv3. The qemu vms that our users
would like to use are behind an IPTables NAT or user mode networking. The
source port is re-written so that it is greater than 1023, so mounting an
export with that sysctl set is not possible with NFSv3 - but is still possible
with the NFSv4 export.
Obviously this is only a single security concern in a sea of them, and I
definitely do not consider this to be an all-encompassing measure.
In summary - would it be possible to make the FreeBSD NFSv4 server behave like
the Linux and Solaris/Illumos server? (disclaimer: I haven't tested
Solaris/Illumos's behavior)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list