No, this change will not be done.
Your assumption is that everyone's networks are secure enough, and anyone
who isn't should suffer the consequences.
I cannot accept that position.
>I'd like to make a suggestion regarding NFS in OpenBSD; let me apologize in
>advance if this isn't the right place to make this suggestion.
>
>Currently (at least on 5.8, I haven't upgraded yet), the nfs daemon refuses to
>accept a mount request if it comes from a non-privileged port (>=
>IPPORT_RESERVED). As I understand, this was once a 'security feature' in the
>time of mainframes, when access to computer was restricted. In any case, I
>believe this behaviour should be changed as it does not provide security, and
>also leads to problems: for example, it means one has to use the markably
>slower SMB protocol when using an OpenBSD server as a remote mount on a FireTV
>stick (my use case).
>
>I therefore propose to remove this source port check from the nfs code, or
>alternatively, to add an option to export nfs volumes without this check. The
>first thing can e.g. be accomplished by modifying the OpenBSD source in two
>places, as follows (patches for 5.8):
>
>patch /usr/src/sbin/mountd/mountd.c < mountd.patch
>patch /usr/src/sys/nfs/nfs_subs.c < nfs_subs.patch
>
>where
>
>### start of mountd.patch ###
>369c369
>< if (sport >= IPPORT_RESERVED) {
>---
>> if (0 == 1) { // don't fail when sport >= IPPORT_RESERVED
>467c467
>< if (sport >= IPPORT_RESERVED) {
>---
>> if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED
>483c483
>< if (sport >= IPPORT_RESERVED) {
>---
>> if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED
>### end of mountd.patch ###
>
>
>### start of nfs_subs.patch ###
>1455c1455
>< (ntohs(saddr->sin_port) >= IPPORT_RESERVED ||
>---
>> (0 == 1 || // don't fail when sport >= IPPORT_RESERVED
>### end of nfs_subs.patch ###
>
>
>Best,
>Nicolas Schmidt
