>> > Do you have a particular usage that needs this? >> >> No, I just run a local nfs server; at the moment only serving one >> single, trusted client. >> So I'm not in desperate need for fixed ports, but I think fixed ports >> are a lot cleaner and over all easier to maintain. > > RPC does not work that way. It uses the portmapper at port 111 for > discovery. NFS at 2049 is also a known port. The rest are supposed > to be unknown.
Windows does the same thing in RPC, but slightly better (better for filtering rules purpose, kills the randomness though). It restricts RPC ports to a defined range and you can then filter based on this range. I did this in the Windows 2000/XP days with default firewall during the 2003 days. You have to find a way to restrict the RPC ports to a range in OpenBSD (I don't think Theo or the others would go for this) or maybe write a PF rule using portmapper for discovery (don't know how to do this as I am pf newbie still, no rush).
