> Because portmap(8) dynamically assigns the mountd(8) port, how would > one write a pass rule in pf for mountd(8) traffic? My problem is that > every time mountd(8) is re/started, it operates on a different port and > my fixed pf rules block the mount protocol and, consequently, my > clients cannot mount an NFS share.
I have looked into this in the past, to teach rudimentary RPC -> UDP/TCP mapping support in the pf code, by having it talk to the portmap. But there are a whole lot of vile issues, and quite frankly there is not much security to be gained from this. You cannot really provide any real security on a local net when doing RPC at the same time.
