On Tue, Jan 09, 2024 at 10:13:56AM +0300, 4 wrote:
> >> i'm quoting the man page for mountd:
> >> The -n flag historically allowed clients to use non-reserved ports
> >> when
> >> communicating with mountd. In OpenBSD, a reserved port is always
> >> used.
> >> "reserved port". "always".. however the port is different each time. how
> >> to deal with this?
> >>
>
> > resreved means that the port number is below 1024. The RPC system,
> > (which is used to implement NFS) iuses portmapper to determine which
> > service runs on which port. What problem are you trying to solve?
>
> > -Otto
> i'm trying to solve the problem of which port need to open on the pf.
> the variant of processing rpcinfo output with script and then putting
> a rules into an anchor is not very pretty. especially considering that
> this is not enough, and i still need to repeat this action by cron.
> this variant works, but it's not even close to how it should work %\
> why i should solve such the task at a time when humanity is flying to
> conquer Mars?
>
No need to be so dramatic, the ports only change when the service is
restarted, so there is no need for constant monitoring and/or script
running. Either you run the script (a one-liner, by the way, see below)
on the server upon starting the daemon, or run it on the firewall via
cron at appropriate intervals (I'm assuming you don't reboot your server
every 10 minutes, so it can be run at large intervals).
You may not find it "very pretty", but hey, it works fine. NFS over
firewalls decidedly isn't great, but it's the smallest of my NFS woes.
OT, they got to the moon with the computing power of a pocket
calculator, and the physics of going to mars are pretty much the same,
so I find your argument moot. Also, its literally a one line script.
Not exactly rocket science.
rpcinfo -p a.b.c.d | awk 'NR>1 { print "pass inet proto " $3 " to port "
$4 " flags any" }' | pfctl -a "portmap/$a" -f -
--
