5

We would like to move away from sshfs to nfs.

The last thing holding us back is the fact that rpcbind (which I assume is required for nfs to work) does not allow you to specify the TCP (not UDP) IP that it binds to.

There is the -h flag, but this is only for the UDP ports it opens up. this does not affect the TCP ports, they still open on 0.0.0.0:...

Does anyone know how we can secure rpcbind by not exposing it to our public interface?

Or even better, is there a way to use nfs without rpcbind?

Thanks!

ginerama
  • 216
  • 1
  • 7
anonymous-one
  • 958
  • 4
  • 26
  • 43

4 Answers4

6

The rpcbind is required to map RPC service to network ( read TCP or UDP ) address and port. NFS versions 2 and 3 require an additional service mountd to allow clients to get initial file handle. While nfs has a well know port number 2049, mountd doesn't. IOW, if you want to use NFSv3 you will need to run rpcbind as well (well, there are probably some mount options to tell where mound is running). In opposite to v3, NFSv4 requires only single port 2049 and does not need mountd at all. This makes rpcbind free NFS setup possible. Just be aware, that some (old) clients may still try to talk to rpcbind even for v4.

Now, about rpcbind. Why you want to protect it? If it's not available to clients, then they cant mount? The only reason to protect is to limit number of clients which can do updates. But this is already in place as rpcbind uses unix domain socket and disallow any remote client perform updates. Even on a local host you need to be root for that. If you want to protect from some clients only, then iptables is your friend (or what ever firewall your OS has):

# iptables -A INPUT -s 10.1.2.0/24 -p tcp --dport 111 -j ACCEPT
# iptables -A INPUT -s 10.1.3.0/24 -p udp --dport 111 -j ACCEPT
# iptables -A INPUT -p tcp --dport 111 -j DROP
# iptables -A INPUT -p udp --dport 111 -j DROP
kofemann
  • 4,308
  • 1
  • 21
  • 27
  • 3
    "Why you want to protect it? If it's not available to clients, then they cant mount?" Listening on an internal, private network's interface is very different than listening on a public interface. – Ivan Vučica Jan 29 '19 at 22:54
0

The lookup for the service port is baked into the RPC protocol, so you'd have to do something quite exotic to avoid rpcbind when running NFS.

You could block connections from particular addresses or interfaces using iptables; with tcpwrappers (/etc/hosts.allow, /etc/hosts.deny); or - for the adventurous - with SELinux.

tcpwrappers is available natively if "ldd /sbin/rpcbind" shows a link to libwrap, otherwise you'd need to suppress the usual startup and instead run it out of inetd/xinetd through tcpd. I haven't tried that myself.

Stephen P. Schaefer
  • 106
  • 8
0

For anyone looking for answer in 2019, no need to add firewall rules.

rpcbind takes -h IP option. It's enough to add it to /etc/sysconfig/rpcbind (Red Hat, Fedora, SLES, openSUSE) or /etc/default/rpcbind (Debian, Ubuntu).

pevik
  • 286
  • 1
  • 12
Gregory
  • 1
  • 3
    The OP noted that `-h` only applied to UDP ports, not TCP ports. When did this change? – Michael Hampton Feb 03 '19 at 04:41
  • 1
    Also, if you're only using NFSv4 (not NFSv2 or NFSv3), you can use the `-H` option to `rpc.nfsd` to bind to one particular IP. For example, in `/etc/default/nfs-kernel-server` on Debian or Ubuntu: `RPCNFSDOPTS="-N 2 -N 3 -H 10.20.1.1"` – Daniel Lo Nigro Jun 27 '19 at 05:52
  • @DanielLoNigro It would be cool if you could extend on that in a dedicated answer as I am struggling to find a solution for this, too. – wedi Nov 24 '19 at 13:52
0

No need to set up firewall rules anymore. With recents Linux distribution where /etc/hosts.deny/allow are available, you can simply do the following:

echo "portmap: 10.0.0.0/16" >> /etc/hosts.allow
echo "rpcbind: 10.0.0.0/16" >> /etc/hosts.allow
echo "portmap: ALL" >> /etc/hosts.deny
echo "rpcbind: ALL" >> /etc/hosts.deny

(Assuming 10.0.0.0/16 is your private network).

Recents versions of NFS uses rpcbind, but older uses portmap, so it will depends on your OS.

Cyril N.
  • 574
  • 1
  • 9
  • 33