Re: How to configure npf to restrict nfs to localhost

Mon, 29 Jun 2020 14:24:59 -0700 

At Mon, 29 Jun 2020 10:00:06 +0530, Mayuresh <mayur...@acm.org> wrote:
Subject: How to configure npf to restrict nfs to localhost
> 
> Looking to share host FS with a qemu guest using NFS.
> 
> Do not want to expose the NFS ports to outside world. Firstly, what all
> ports are in question - is it 111, 1000 and 2049 (rpc,mount,nfs
> respectively) or is there anything else involved?
> 
> Any hints for how to block these ports for outside world and keep open for
> localhost?

Stopping rpcbind from revealing ports other RPC servers are listening on
is the primary thing you need to do.  You can do this with filters
blocking TCP and UDP ports #111, and/or with rpcbind itself using its
built-in libwrap support, like so:

In your /etc/hosts.allow file you can restrict rpcbind to given
networks:

        rpcbind:PARANOID:DENY
        rpcbind:0.0.0.0, 127.0.0.1, 10.0.1.0/255.255.255.0 :ALLOW
        rpcbind:ALL:DENY

Make sure you do not run rpcbind(8) with its "-i" (insecure) option!

Note you may want to enable NFS server locking support with
"lockd=${nfs_server}" and "statd=${nfs_server}" in /etc/rc.conf, i.e. if
your virtual machine runs an OS that has client support for NFS locking
(NetBSD does not).

In your /etc/exports file you can further restrict an exported
filesystem to a specified network range like this example:

        / -alldirs -maproot=nobody -network 10.0.1.0 -mask 255.255.255.0

Further filtering external traffic to/from all possible RPC ports,
i.e. all of those in the range 600-1023 (IPPORT_RESERVEDMIN to
IPPORT_RESERVED-1), 49152-65535 (sysctl net.inet.ip.anonportmin to
sysctl net.inet.ip.anonportmax), and 2049 (NFS_PORT), is another added
layer of protection.  Filtering the whole ranges of reserved and
anonymous ports might be a bit too strict though.  Unfortunately
rpcbind(8) doesn't have hooks to register filters for registered RPC
services, though one could periodically run "rpcinfo -p" to get the list
of actual RPC ports in use and use that to update the filters.

-- 
                                        Greg A. Woods <gwo...@acm.org>

Kelowna, BC     +1 250 762-7675           RoboHack <wo...@robohack.ca>
Planix, Inc. <wo...@planix.com>     Avoncote Farms <wo...@avoncote.ca>

Attachment: pgpWz6ZBhEFy0.pgp
Description: PGP signature

Reply via email to