> I have a problem with nfs and pf. When PF is on , then nfs not work. I put > the hole for portmap and nfs in pf... but i think that the problem is in > mountd, because mountd every time when I restart the server change his own > port: > > ##################################### > #rpcinfo -p mars > program vers proto port > 100000 2 tcp 111 portmapper > 100000 2 udp 111 portmapper > 100005 1 udp 883 mountd > 100005 3 udp 883 mountd > 100005 1 tcp 767 mountd > 100005 3 tcp 767 mountd > 100003 2 udp 2049 nfs > 100003 3 udp 2049 nfs > 100003 2 tcp 2049 nfs > 100003 3 tcp 2049 nfs > #################################### > > Sometimes 773 .. 762 ... 995, > > Ok . the question is how to set a static ports for mountd? (and then I will > open the firewall (pf) for this port ..for the client machine.)
There is no way to do that. We do random port allocation. You could hand-patch mountd to pick a specific port at startup and bind() to it, but I would be averse to that going into the tree. There is a bit of a myth here, I should point out. You can't do NFS security, or more specifically RPC security, via packet filtering a the port level. Your file handles are going to be flying all over the place, and that is a massive problem. NFS is the biggest risk factor of them all, so why bother blocking anything else? I suppose there could be very specific reasons, but .. not everything can do everything. I did look before at having portmap tell pf which ports it was allocating, but gave up because (1) it was difficult to do, (2) it had basically no security benefit, and (3) it would only work on for pf running _on_ the portmap machine...
