No, this change will not be done. Your assumption is that everyone's networks are secure enough, and anyone who isn't should suffer the consequences.
I cannot accept that position. >I'd like to make a suggestion regarding NFS in OpenBSD; let me apologize in >advance if this isn't the right place to make this suggestion. > >Currently (at least on 5.8, I haven't upgraded yet), the nfs daemon refuses to >accept a mount request if it comes from a non-privileged port (>= >IPPORT_RESERVED). As I understand, this was once a 'security feature' in the >time of mainframes, when access to computer was restricted. In any case, I >believe this behaviour should be changed as it does not provide security, and >also leads to problems: for example, it means one has to use the markably >slower SMB protocol when using an OpenBSD server as a remote mount on a FireTV >stick (my use case). > >I therefore propose to remove this source port check from the nfs code, or >alternatively, to add an option to export nfs volumes without this check. The >first thing can e.g. be accomplished by modifying the OpenBSD source in two >places, as follows (patches for 5.8): > >patch /usr/src/sbin/mountd/mountd.c < mountd.patch >patch /usr/src/sys/nfs/nfs_subs.c < nfs_subs.patch > >where > >### start of mountd.patch ### >369c369 >< if (sport >= IPPORT_RESERVED) { >--- >> if (0 == 1) { // don't fail when sport >= IPPORT_RESERVED >467c467 >< if (sport >= IPPORT_RESERVED) { >--- >> if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED >483c483 >< if (sport >= IPPORT_RESERVED) { >--- >> if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED >### end of mountd.patch ### > > >### start of nfs_subs.patch ### >1455c1455 >< (ntohs(saddr->sin_port) >= IPPORT_RESERVED || >--- >> (0 == 1 || // don't fail when sport >= IPPORT_RESERVED >### end of nfs_subs.patch ### > > >Best, >Nicolas Schmidt