Firewalling NFS

Jeremie Le Hen jeremie at
Sat Jun 16 20:10:15 UTC 2007

Hi Alfred,

On Fri, Jun 15, 2007 at 10:40:05PM -0700, Alfred Perlstein wrote:
> * Jeremie Le Hen <jeremie at> [070615 01:07] wrote:
> > Hi,
> > 
> > It appears nearly impossible to firewall a NFS server on FreeBSD.
> I would be nearly impossible if one didn't know much about NFS.

It is surely my case.

> Care to rephrase your assertion?

The new assertion is then:
I don't know how to firewall my NFS server which is running FreeBSD 6.2.

> > The reason is that NFS related daemons use RPC, which means they
> > don't bind to a deterministic port.  Only mountd(8) can be requested to
> > bind to a specific port or fail with the -p command-line switch.
> > Is there any reason other than "no one has needed this yet" why this
> > option is not available for nfsd(8), rpc.lockd(8) and rpc.statd(8)?
> this is wrong, wrong and more wrong.

Sorry, I checked RELENG_6.  I've been told that rpc.lockd(8) and
rpc.statd(8) now have the "-p" option in -CURRENT.  It seems that
nfsd(8)'s port number is assigned in recorded in services(5).
Therefore my question will be totally pointless once rpc.lockd(8)
and rpc.statd(8) "-p" option will be MFC'd to RELENG_6.

Sorry for the noise guys.  Thank you for your replies though.

Best regards,
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

More information about the freebsd-net mailing list