On 7/25/24 11:32 PM, Niklas Hambüchen wrote:
Hi, I found that `rpc.mountd` is hardcoded to listen on NULL == INADDR_ANY == 0.0.0.0: https://serverfault.com/questions/1110431/how-to-specify-a-specific-bind-address-for-nfs-kernel-server-on-debian-11-4/1163083#1163083 This makes it impossible to reduce the attack surface by e.g. restricting it to a VPN IP address. Is there a technical reason for that (while other NFS daemons support `--host` flags and `host` config options), or is that just historical?
Just historical... Making NFS work over VPNs would be a good thing... IMHO. I've never been big on added flags, due to support reasons... But I think this would be a good idea... Patches are welcome :-) Feel free to contact me, off list, to help out with the patch. steved.