"Bruce" == Bruce Sterling Woodcock sirbruce@ix.netcom.com writes:
>> Try "options nfs.mount_rootonly off". Bruce> Whoops; I forgot about that option. Still, it is a bad idea.
Why? The concept of privileged ports is meaningless today. NFS is insecure. Restricting mount requests to source ports < 1024 provides virtually no additional security.
I actually have a related question - mountd, lockd, and statd are all RPC services, thus requiring the portmapper. If you're trying to allow access to these services through a f/w, it can be difficult if the firewall doesn't understand the portmapper queries to dynamically allow the correspoing RPC request through the firewall (e.g, 1.2.3.4 makes does an RPC lookup for mountd, the portmapper replies with port 5678, the f/w then knows to allow requests from 1.2.3.4 to port 5678 on the filer through the firewall).
Anyway, the question is - do these services always bind to the same ports on the filer, or can they be made to (e.g., some mountd's allow you to specify what port they should use)?
j.