# nfs, rpc and network interface/ip

## hujuice

Hello everybody.

I'm administering an host with two interfaces: one public (say eth0) and one private, in a small LAN (say eth1). Each interface has two address, IPv4 and IPv6.

The host has NFS service, obviously intended to work for the LAN, but the simple /etc/exports configuration leave a handful of open port on the public interface.

I would like to limit all the services (rpcbind, rcp.statd, so on) to the LAN interface only, but I cannot find the way.

(ip(6)tables is an extra option, I would like to limit the origin.)

Some netstat could be more clear:

```

udp        0      0 127.0.0.1:647           0.0.0.0:*                           30575/rpc.statd     

udp        0      0 0.0.0.0:45705           0.0.0.0:*                           30603/rpc.mountd    

udp        0      0 0.0.0.0:34728           0.0.0.0:*                           30575/rpc.statd     

udp        0      0 192.168.142.1:111       0.0.0.0:*                           30534/rpcbind       

udp        0      0 127.0.0.1:111           0.0.0.0:*                           30534/rpcbind       

udp        0      0 0.0.0.0:50646           0.0.0.0:*                           30603/rpc.mountd    

udp        0      0 0.0.0.0:60915           0.0.0.0:*                           30603/rpc.mountd    

udp        0      0 0.0.0.0:605             0.0.0.0:*                           30534/rpcbind       

udp6       0      0 :::35552                :::*                                30603/rpc.mountd    

udp6       0      0 ::1:111                 :::*                                30534/rpcbind       

udp6       0      0 :::50438                :::*                                30603/rpc.mountd    

udp6       0      0 :::57741                :::*                                30575/rpc.statd     

udp6       0      0 :::38436                :::*                                30603/rpc.mountd    

udp6       0      0 :::605                  :::*                                30534/rpcbind
```

(note that it is udp only)

Editing /etc/conf.d/rpcbind I'm able to limit the :111 access to the LAN IPv4 address, no more.

I'm unable to limit the IPv6 address for rpcbind and I'm unable to limit all other services.

The 192.168.142.1:111 line (and localhost) is the one that I like.

I remember that something can be done with the sysctl configuration, but googling around didn't help.

Here is my very poor attempt

```

RPCBIND_OPTS="-l -h 192.168.142.1 -h fe80::211:22ff:fe02:1d01"
```

(It works on IPv4 only)

Here is the exports

```
/usr/portage        [fe80::/10](rw,sync,no_subtree_check,no_root_squash,anonuid=250,anongid=250)

/usr/portage        192.168.142.0/24(rw,sync,no_subtree_check,no_root_squash,anonuid=250,anongid=250)
```

Hints?

Regards,

HUjuice

----------

## krinn

nfs use tcpd, so if you want 

-limit nfs to your network only (i assume you, and should, setup hosts.deny with ALL:ALL)

/etc/hosts.allow with nfsd: LOCAL

- limit nfs to one of your networks: (two cards, each card own its network 192.168.0.* and 192.168.1.*)

/etc/hosts.allow nfsd: LOCAL 192.168.0.*

- limit nfs to any of your network, but not 192.168.1.*

/etc/hosts.allow nfsd: LOCAL EXCEPT 192.168.1.*

- limit nfs to a range from your network:

/etc/hosts.allow nfsd: (a long list of IP you wish them able to use the service) or from exports limited to these ip

-limit some share only to some hosts

that's something you should set in your exports, to only allow some share to be access from some hosts.

do that for any services nfsd, rpcbind...

----------

## hujuice

 *krinn wrote:*   

> nfs use tcpd, so if you want 

 

```
You can protect your rpc.mountd listeners using the tcp_wrapper library or iptables(8).

Note that the tcp_wrapper library supports only IPv4 networking
```

So, the iptables/netfilter solution is THE solution, since I have IPv6. Maybe I'm paranoid?

Thanks anyway, krinn.

HUjuice

----------

## szatox

I'd rather keep iptables rules than host.accept and host.deny, so I can have all my traffic filtering done in one place and I don't have to look for it and scratch my head thinking "where the hell would I put it?" whenever I change something. Or whenever I want to change something.

----------

## krinn

 *hujuice wrote:*   

> 
> 
> Note that the tcp_wrapper library supports only IPv4 networking[/code]
> 
> 

 

I lack to see any value of ipv6 for local network.

ipv6 was made because ipv4 limit to number of hosts on internet, internet is so big...

But seriously, how many local network would reach the limit of ipv4 (local) hosts count?

I didn't check if ipv6 has increase number of hosts for local networking (so that ipv6 have local network ip range that ipv4 doesn't have), but what i'm mostly sure, is that the limit to local number of hosts for ipv4 could only be reach by something not only huge, but totally crazy (something i think only google or nsa on earth may have reach, i even doubt they have, but if any have, must be google or nsa).

Of course iptables can do the job, but unlike szatox, i prefer iptables handling internet filtering, and kept my local filter out of iptables to reduce noise ; keeping only iptables rules for internet (that is the most important).

iptables should be use on the host that is dmz from your network, all others hosts have no real use of iptables as a firewall except to use it to add some weird local network limit.

----------

## hujuice

 *krinn wrote:*   

> i prefer iptables handling internet filtering, and kept my local filter out of iptables to reduce noise ; keeping only iptables rules for internet (that is the most important).
> 
> iptables should be use on the host that is dmz from your network, all others hosts have no real use of iptables as a firewall except to use it to add some weird local network limit.

 

I agree about iptables, that's why iptables comes later for me. But what I wanted to do is to connect two DMZ hosts.

IPv6 has the link-local scope, appearing to me interesting for security (I'm not expert, I'm using IPv6 for the first time).

I understood that the link scope addresses are definitely not routable.

The real scenario is not so much more than an exercise. I have two VPSs in the same infrastructure.

Since I want to connect them (the provider gave to me two "physically" linked interfaces), what I want to do is to NFS a filesystem between them. Except this and some minor needs, the hosts are oriented to be public.

So:

1) I have those "LAN" interfaces, on both hosts.

2) I have that "private" address, given by the provider.

3) I understood that they are not routable, so more secure (?).

4) I want to share a filesystem via NFS.

I can configure the "LAN" with IPv4 or IPv6, but I cannot say to the NFS stack «don't use the IPv6 public address».

Obviously, I can also remove the IPv6 support from NFS and drive the management to IPv4/tcpd.

But the two hosts are development, personal hosts, no production.

So, my knowledge matter more than the real security.

Thanks to all,

HUjucie

----------

