which interface: mountd,rpcbind

[cpghost at cordula.ws]

On Mon, Apr 18, 2005 at 09:09:36AM -0400, Lowell Gilbert wrote:
> "Florian Hengstberger" <e0025265 at student.tuwien.ac.at> writes:
> 
> > Hi!
> > I really worry about that it seems (man mountd, man rpcbind)
> > impossible to specifiy the interface these daemons bind to.

I've had exactly the same problem a while ago! The important thing
here, is that nfsd doesn't bind to INADDR_ANY. The other daemons
are still potentially vulnerable to other kinds of attacks though,
but it would be extremely difficult to inject NFS RPCs into this
system from an external interface.

I wished rpcbind and mountd (and rpc.lockd and rpc.statd!) could be
configured to listen on a specific interface. As long as that is not
implemented, you should really use pf or another packet filter on your
external interface, to protect NFS.

> You can't, as far as I can see.  Looks like it would be an afternoon's
> work to add it in, but I wouldn't think it's worth worrying about it.

Yes please, it would be really nice to have this in the source.
If I knew more sockets API, I would have already submitted a PR
for this, but I don't :(. It's just a matter of adding calls to bind(2)
at the right places.

> Since you bind to an address already, a packet filter firewall will
> protect you from access on the wrong interface.

Hmmm, rpcbind, mountd, rpc.lockd and rpc.statd bind to INADDR_ANY, not to
a specific interface. rpcbind has even a documented -h flag, that it
doesn't seem to respect fully. That's exactly the problem.

Regards,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/