Restricting NFS daemons

cpghost cpghost at
Tue Jan 25 17:09:56 PST 2005

Chuck Swiger wrote:

> cpghost wrote:
>> how can one configure NFS daemons (esp. mountd and rpcbind) so that 
>> they listen only on one IP address (e.g. on
> While some of the daemons are growing flags to bind only to specified 
> addresses, it turns out to be unwise to depend on that capability 
> alone to protect a fileserver.  If you want to do NFS securely, you 
> need to protect the network by using a firewall which prevents 
> source-routing and address spoofing of internal hosts.
I know this is the default action in most scenarios.

However, in this very special case, using a packet filter is not an option.

The host is multi-homed, so a lot of address spoofing and source routing
tricks are not that easy anyway (though certainly not impossible, due to
the intricacies of NAT).

It would be nice if at least rpcbind honored its -h flag and mountd grew its
own flag to bind(2) to specific addresses. It's perhaps just a few lines 
of code;
I'll have to dive into that socket API though... :).


Cordula's Web.

More information about the freebsd-questions mailing list