Re: [Bulk] [nfsd_server_flags="-h ipaddress" has no effect]
0 views
Skip to first unread message
Frank Leonhardt
Aug 31, 2025, 2:45:29 PM (7 days ago) Aug 31
to freebsd-...@freebsd.org
On 31/08/2025 17:23, void wrote:
> Hi,
>
> (sorry, originally sent to -current, oops)
>
> On relatively recent -current (main-n278917-233a26b5c5d7 amd64)
> I was alarmed to find that on a dual-NIC host that if nfsd
> is enabled with the -h flag set, the port appears open on all NICs and
> not just the internal facing one.
>
> This behaviour is in contrast to rpcbind_flags="-h 192.168.1.100"
> which when set means rpcbind cannot be seen on the external-facing
> interface when tested.
>
> Is this expected?
>
> I would have expected port 2047 to be inaccessible from outside the
> network if nfsd is bound with -h to an internal-only interface/ip address
No, indeed I would not. It's not what the source code says to do, but it
does silently ignore the bind addresses list it's created if the -a flag
has been used. if it hits a -a flag. If the count of things added to the
list is zero it binds to everything regardless.
Are you sure you set the server flags correctly in rc.conf and they're
the ones being used?
nfs_server_enable="YES"
nfs_server_flags="-t -n 4 -h 192.168.1.2"
(-t and -n 4 being a reasonable choice).
IIRC there's a problem binding to an interface if you're using UDP.
Assuming you DIDN'T set the -a flag a printf() around line 300 of
usr.sbin/nfsd/nfsd.c would be interesting.
Regards, Frank.
> Hi,
>
> (sorry, originally sent to -current, oops)
>
> On relatively recent -current (main-n278917-233a26b5c5d7 amd64)
> I was alarmed to find that on a dual-NIC host that if nfsd
> is enabled with the -h flag set, the port appears open on all NICs and
> not just the internal facing one.
>
> This behaviour is in contrast to rpcbind_flags="-h 192.168.1.100"
> which when set means rpcbind cannot be seen on the external-facing
> interface when tested.
>
> Is this expected?
>
> I would have expected port 2047 to be inaccessible from outside the
> network if nfsd is bound with -h to an internal-only interface/ip address
No, indeed I would not. It's not what the source code says to do, but it
does silently ignore the bind addresses list it's created if the -a flag
has been used. if it hits a -a flag. If the count of things added to the
list is zero it binds to everything regardless.
Are you sure you set the server flags correctly in rc.conf and they're
the ones being used?
nfs_server_enable="YES"
nfs_server_flags="-t -n 4 -h 192.168.1.2"
(-t and -n 4 being a reasonable choice).
IIRC there's a problem binding to an interface if you're using UDP.
Assuming you DIDN'T set the -a flag a printf() around line 300 of
usr.sbin/nfsd/nfsd.c would be interesting.
Regards, Frank.
Frank Leonhardt
Aug 31, 2025, 2:48:30 PM (7 days ago) Aug 31
to ques...@freebsd.org
Please ignore - wrong list opps.
Reply all
Reply to author
Forward
0 new messages