At Tue, 30 Jun 2020 15:36:07 +0200, Hauke Fath <hf%spg.tu-darmstadt.de@localhost> wrote:
Subject: Re: How to configure npf to restrict nfs to localhost
>
> On 2020-06-29 23:24, Greg A. Woods wrote:
> > Stopping rpcbind from revealing ports other RPC servers are listening on
> > is the primary thing you need to do. You can do this with filters
> > blocking TCP and UDP ports #111, and/or with rpcbind itself using its
> > built-in libwrap support, like so:
> >
> > In your /etc/hosts.allow file you can restrict rpcbind to given
> > networks:
> >
> > rpcbind:PARANOID:DENY
> > rpcbind:0.0.0.0, 127.0.0.1, 10.0.1.0/255.255.255.0 :ALLOW
> > rpcbind:ALL:DENY
>
> In order for rpcbind(8) to actually heed /etc/hosts.{allow,deny} it
> needs to be started with
>
> -W Enable libwrap (TCP wrappers) support.
>
> which for whatever reason is not the default.
Ah, yes! Very good point! Thank you!
This is one of the problems with "fixing" one's local source tree and
forgetting what fixes are there!
--
Greg A. Woods
Planix, Inc.
<woods%planix.ca@localhost> +1 250 762-7675 http://www.planix.ca/
Attachment:
pgpG3mWkAuSyd.pgp
Description: PGP signature