One cannot tell rpcbind(8) to listen on a specific IP address for TCP requests. This functionality only exists for UDP requests, per the man page: -h Specify specific IP addresses to bind to for UDP requests. This option may be specified multiple times and is typically necessary when running on a multi-homed host. Fix: Please modify rpcbind(8) so it can bind to a specific IP for TCP and UDP requests. The alternative, using a firewall to limit access, seems excessive! Thank you. How-To-Repeat: grep rpcbind /etc/rc.conf rpcbind_enable="YES" rpcbind_flags="-h 192.168.3.7" /etc/rc.d/rpcbind start Starting rpcbind. sockstat -4 | grep rpcbind root rpcbind 82389 10 udp4 127.0.0.1:111 *:* root rpcbind 82389 11 udp4 192.168.3.7:111 *:* root rpcbind 82389 12 udp4 *:1010 *:* root rpcbind 82389 13 tcp4 *:111 *:*
[CC'ing the developer swho added -h and TCP support] In addition to the security implications for multi-homed systems that have public and private interfaces (and the implication for a software firewall), this is a serious impediment to creating system <-> service abstraction. In large environments where High Availability is a requirement, services are frequently "bound" to VIPs that can easily be moved from one system to another using Fail-over Management Software. In fact, all of the NFS related utilities are lacking in this facility, specifically, nfsd(8) and mountd(8). mountd(8) does feature a "-p" flag to specify the used to ensure a specific port is reused, thus helping to sanitize RPC/NFS in through a firewall, but lacks a "-h" flag. nfsd(8) also features a "-h" flag, but you cannot control the ports it chooses. ~BAS
A patch for this would be great, guys! Regards, BMS
Responsible Changed From-To: freebsd-bugs->matteo Take this, as I'm working in this area
A patch is available at http://people.freebsd.org/~matteo/diff/rpcbind.diff I hope to commit it soon. Best Regards -- Matteo Riondato FreeBSD Committer (http://www.freebsd.org) G.U.F.I. Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org)
matteo 2007-04-23 07:09:25 UTC FreeBSD src repository Modified files: usr.sbin/rpcbind rpcbind.8 rpcbind.c Log: 1)Make it possible for rpcbind(8) to bind TCP listening socket to an IP other than INADDR_ANY. 2) Add the -6 option to specify "IPv6 only". Glanced at by: bms Requested by: bms [2] PR: bin/84494 [1] Approved by: silence from maintainer (~2 weeks) [1] MFC after: 2 weeks Revision Changes Path 1.10 +5 -3 src/usr.sbin/rpcbind/rpcbind.8 1.15 +181 -238 src/usr.sbin/rpcbind/rpcbind.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched A patch was committed to HEAD. I'll MFC it in 2 weeks.
matteo 2007-06-09 09:28:30 UTC FreeBSD src repository Modified files: (Branch: RELENG_6) usr.sbin/rpcbind rpcbind.8 rpcbind.c Log: MFC: rpcbind.c: rev. 1.15, 1.16, 1.17 rpcbind.8: rev. 1.10 1)Make it possible for rpcbind(8) to bind TCP listening socket to an IP other than INADDR_ANY. 2) Add the -6 option to specify "IPv6 only". PR: 84494, 1122566 Revision Changes Path 1.7.2.2 +5 -3 src/usr.sbin/rpcbind/rpcbind.8 1.14.2.1 +223 -215 src/usr.sbin/rpcbind/rpcbind.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed Fixed and merged to RELENG_6.