Re: Firewalling NFS

2007-06-17 Thread Matteo Riondato
On Sat, Jun 16, 2007 at 10:09:56PM +0200, Jeremie Le Hen wrote: > Sorry, I checked RELENG_6. I've been told that rpc.lockd(8) and > rpc.statd(8) now have the "-p" option in -CURRENT. It seems that > nfsd(8)'s port number is assigned in recorded in services(5). > Therefore my question will be tota

Re: Firewalling NFS

2007-06-16 Thread Jeremie Le Hen
Hi Alfred, On Fri, Jun 15, 2007 at 10:40:05PM -0700, Alfred Perlstein wrote: > * Jeremie Le Hen <[EMAIL PROTECTED]> [070615 01:07] wrote: > > Hi, > > > > It appears nearly impossible to firewall a NFS server on FreeBSD. > > I would be nearly impossible if one didn't know much about NFS. It is s

Re: Firewalling NFS

2007-06-15 Thread Alfred Perlstein
* Jeremie Le Hen <[EMAIL PROTECTED]> [070615 01:07] wrote: > Hi, > > It appears nearly impossible to firewall a NFS server on FreeBSD. I would be nearly impossible if one didn't know much about NFS. Care to rephrase your assertion? > The reason is that NFS related daemons use RPC, which means t

Re: Firewalling NFS

2007-06-15 Thread Dave
ve restarted the services several times and they hold the same ports. Hth Dave. - Original Message - From: "Bruce M. Simpson" <[EMAIL PROTECTED]> To: "Eygene Ryabinkin" <[EMAIL PROTECTED]> Cc: ; "Jeremie Le Hen" <[EMAIL PROTECTED]> Sent: F

Re: Firewalling NFS

2007-06-15 Thread Dave
To: "Eygene Ryabinkin" <[EMAIL PROTECTED]> Cc: ; "Jeremie Le Hen" <[EMAIL PROTECTED]> Sent: Friday, June 15, 2007 1:47 PM Subject: Re: Firewalling NFS Eygene Ryabinkin wrote: NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd and statd have 

Re: Firewalling NFS

2007-06-15 Thread Chuck Swiger
On Jun 15, 2007, at 12:27 AM, Jeremie Le Hen wrote: It appears nearly impossible to firewall a NFS server on FreeBSD. Yes and no. It's quite easy to firewall NFS along with everything else using a "default deny" ruleset. It's highly difficult to place a restrictive firewall ruleset betwee

Re: Firewalling NFS

2007-06-15 Thread Eygene Ryabinkin
Bruce, good day. Fri, Jun 15, 2007 at 06:47:07PM +0100, Bruce M. Simpson wrote: > I added the -p switch to mountd(8) a few years ago, as I needed to run a > read-only NFS server exposed to the outside world; to firewall it I needed a > deterministic RPC port number, which is what -p gives you. O

Re: Firewalling NFS

2007-06-15 Thread Bruce M. Simpson
Eygene Ryabinkin wrote: NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd and statd have '-p' options: - $ man rpc.lockd rpc.statd | grep -- -p rpc.lockd [-d debug_level] [-g grace period] [-p port] -p The -p option allow to force the daemon to bind to the speci

Re: Firewalling NFS

2007-06-15 Thread Eygene Ryabinkin
Jeremie, good day. Fri, Jun 15, 2007 at 09:27:35AM +0200, Jeremie Le Hen wrote: > It appears nearly impossible to firewall a NFS server on FreeBSD. > The reason is that NFS related daemons use RPC, which means they > don't bind to a deterministic port. Only mountd(8) can be requested to > bind to

Re: Firewalling NFS

2007-06-15 Thread Eugene Grosbein
On Fri, Jun 15, 2007 at 09:27:35AM +0200, Jeremie Le Hen wrote: > Hi, > > It appears nearly impossible to firewall a NFS server on FreeBSD. > The reason is that NFS related daemons use RPC, which means they > don't bind to a deterministic port. Only mountd(8) can be requested to > bind to a speci

Firewalling NFS

2007-06-15 Thread Jeremie Le Hen
Hi, It appears nearly impossible to firewall a NFS server on FreeBSD. The reason is that NFS related daemons use RPC, which means they don't bind to a deterministic port. Only mountd(8) can be requested to bind to a specific port or fail with the -p command-line switch. Is there any reason other