Restricting NFS daemons

Sandy Rutherford sandy at
Tue Jan 25 21:09:59 PST 2005

>>>>> On Wed, 26 Jan 2005 10:02:00 +0100, 
>>>>> cpghost <cpghost at> said:

 > But the question is how to get rpcbind to use tcp-wrappers
 > in the first place!

 > Because even with this in hosts.allow, sockstat -46l still
 > shows:

 > root     rpcbind    10188 7  udp4         *:*
 > root     rpcbind    10188 8  udp4       *:*
 > root     rpcbind    10188 9  udp4   *:<some_random_port>  *:*
 > root     rpcbind    10188 10 tcp4   *:<some_random_port>  *:*

 > So it's still binding to INADDR_ANY :-(

 > Am I missing something obvious, or is rpcbind not "tcp wrapped"
 > by default?

Should be.  Double check to make sure that /usr/sbin/portmap is linked
to libwrap.

On 4.10, I have:

    % objdump -x portmap | head -n 25
    /usr/libexec/elf/objdump: portmap: no symbols

    portmap:     file format elf32-i386
    architecture: i386, flags 0x00000112:
    start address 0x08048de8

    Program Header:
	PHDR off    0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2
	     filesz 0x000000c0 memsz 0x000000c0 flags r-x
      INTERP off    0x000000f4 vaddr 0x080480f4 paddr 0x080480f4 align 2**0
	     filesz 0x00000019 memsz 0x00000019 flags r--
	LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
	     filesz 0x00002700 memsz 0x00002700 flags r-x
	LOAD off    0x00002700 vaddr 0x0804b700 paddr 0x0804b700 align 2**12
	     filesz 0x000001ec memsz 0x00000218 flags rw-
     DYNAMIC off    0x0000275c vaddr 0x0804b75c paddr 0x0804b75c align 2**2
	     filesz 0x000000b8 memsz 0x000000b8 flags rw-
	NOTE off    0x00000110 vaddr 0x08048110 paddr 0x08048110 align 2**2
	     filesz 0x00000018 memsz 0x00000018 flags r--

    Dynamic Section:
      INIT        0x8048adc

I am not surprised that rpcbind is still bound to all of your
interfaces.  AFAIK, tcp-wrappers doesn't control which interface is
being listened on, but rather it controls from which IP numbers
connections will be accepted.  This is what I meant, when I said that
tcp-wrappers doesn't do exactly what you want.  However, if you use
tcp-wrappers to accept only connections from
and configure a firewall on this host to block all connections to the
interface in question from this address range, then you will end up
with something approximating what you want.


More information about the freebsd-questions mailing list