NetBSD Problem Report #58175

From www@netbsd.org  Fri Apr 19 19:51:28 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 352971A9238
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 19 Apr 2024 19:51:28 +0000 (UTC)
Message-Id: <20240419195126.A36631A923A@mollari.NetBSD.org>
Date: Fri, 19 Apr 2024 19:51:26 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: firewall nfs daemons
X-Send-Pr-Version: www-1.0

>Number:         58175
>Category:       misc
>Synopsis:       firewall nfs daemons
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 19 19:55:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10
>Organization:
The NfsNpf Foundation
>Environment:
>Description:
It is generally a bad idea to expose nfs to the open internet.

But `nfs' means several things:

- the nfs file system protocol, on port 2049
- the portmapper protocol, on port 111
- the rpcbind protocol, on a port assigned by rpcbind(8)
- the mount protocol, on a port assigned by rpcbind(8) or specified with the -p option to mountd(8)
- the status protocol, on a port assigned by rpcbind(8) for rpc.statd(8)
- the lock, quota, ..., protocols, similarly

Filtering ports 2049 and 111 is easy.  Filtering the mount protocol in particular is easy with the `mountd -p' option.  Filtering all network access to an NFS server is easy.  The NFS daemons also usually allow host-based access control with hosts_access(5) (/etc/hosts.allow, /etc/hosts.deny), and perhaps one could combine that with ingress filtering on a separate firewall host.

But it's not clear how to, e.g., limit access to the NFS daemons to be from a particular network interface like wg0 while rejecting it on bge0, with npf(7).
>How-To-Repeat:
Attempt to follow the admonition at https://www.netbsd.org/docs/guide/en/chap-net-services.html#chap-net-services-nfs to run NFS only on firewalled networks, on a host with multiple interfaces where some interfaces are safe and others are not.
>Fix:
Yes, please!  Whatever the right strategy is:

1. This should be suggested in the guide.
2. This should be referenced in appropriate man pages.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.