# Bind NFS to specific interface?

## SnEptUne

Hi everyone,

On my server, I have several network cards and network interfaces, for different kind of network.  One of the network is connected to the Internet.  However, whenever I start NFS, it binds itself too all network interfaces.  Is there a way to restrict NFS and portmap so that it only binds to say two of the networks, to reduce security risk?  Thank you.

----------

## Noven

The option you want to pass is to portmap is '-i {interface addresses}'

The only computer here which is an NFS server runs Ubuntu (which makes a *totally crap* server btw, but its political). 

There is an /etc/default/portmap file which holds the line for us. I'm sure there will be a similar file somewhere in the gentoo  /etc.

Also make sure you use tcp wrappers - I don't trust NFS anywhere within coo-ee of the internet, so layers are good.

----------

## SnEptUne

I found it. it is under /etc/conf.d/portmap.  Ubuntu is a nice distribution as well.  Unfortunately, portmap does not support the -i switch.  Are you sure it is the portmap option?  I got this when I start portmap:

```
/sbin/portmap: invalid option -- i

usage: /sbin/portmap [-dvl]

-d: debugging mode

-v: verbose logging

-l: listen only on loopback address (not on external address)
```

----------

## Noven

That is odd. Check this:

(Ubuntu)

man portmap

NAME

     portmap - DARPA port to RPC program number mapper

SYNOPSIS

     portmap [-d] [-t dir] [-v] [-i address]

(Gentoo)

man portmap 

NAME

     portmap -- DARPA port to RPC program number mapper

SYNOPSIS

     portmap [-dv]

For some reason portmap under gentoo has less options than portmap under Ubuntu. When I first saw your post I was going to say that ubuntu is nice for the desktop, just not so nice for a server. However I may have just found the first place in which Ubuntu has an edge. *Goes and sits down and breathes into a bag*. In fact this is a serious flaw... I'm sure in FreeBSD I was able to bind to a specific interface. 

Ubuntu version 5-16ubuntu2. Gentoo version 5b-r9

No -i option leaves tcp wrappers, your exports file and iptables as the security layers. May be worth filing as a bug report - it's either a missing feature or needs a version bump.

----------

## SnEptUne

I have filed the problem regarding portmap to bugzilla.  Thanks for the notice.

On the other hand, what is tcp-wrappers?  How can I use it for nfs/portmap?

----------

## Noven

tcp wrappers is implemented via the hosts.deny and hosts.allow files. For instance you might have:

# cat hosts.allow

portmap: 192.168.0.0/24

# cat hosts.deny

portmap: ALL

You can also do funky stuff like send yourself an email if an unauthorised host tries to connect. Man hosts.allow and hosts.deny for the full range of options. Although I recall that I couldn't allow or deny portmap by host or network name, had to be IP address.

----------

## SnEptUne

Thanks.  I have created and updated my /etc/hosts.allow and /etc/hosts.deny accordingly.  But it doesn't seem to add much security.  Afterall, hostname and ip address can be spoofed and the ports are still open for connection as indicated from nmap.

----------

## Noven

It doesn't really add that much security. If you try to mount as normal via a blocked IP it should fail, but a determined attacker could probably break it. You can prevent spoofed IP's connecting externally with iptables. But at the end of the day portmap *should* only be bound to certain interfaces, and I hope that bug is fixed before I end up serving NFS from a dual-homed Gentoo box. It's pure chance I'd never come across that before - although I can't recall putting NFS on any externally facing server.

----------

