I've posted this question to nfs-disucss with no response, asking with wide scope here.
NFS clients will open 2 or more ports, statd and lockd. While rpcbind can be set as local_only, these ports are still open and could potentially be exploited. For servers on the public internet this is a considerable risk. What is the appropriate way of securing such a system? I'm not aware of any way to restrict these daemons to a single (private) network interface, and I don't believe TCP-Wrappers is applicable. Is there a recommend means of dealing with this other than using a firewall? benr. This message posted from opensolaris.org
