# rpcbind – jailed nfsd?



## getopt (Aug 22, 2014)

In Absolute FreeBSD 2nd Edition can be read


> NFS programs such as rpcbind() and nfsd() bind to all IP adresses on a system, and changing this behavior is difficult. Don’t run an NFS server on your jail host. You can use NFS in your jails, however. If you must combine NFS and jail, don’t use the main host, but configure a jail to export your NFS mounts. (Lucas, M.W, 2008, p.289)




```
# sockstat -4 | grep 'USER|nfsd|mountd|rpcbind'
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     nfsd       731   5  tcp4   xxx.xxx.xxx.xxx:2049  *:*
root     mountd     725   6  udp4   127.0.0.1:620         *:*
root     mountd     725   7  udp4   xxx.xxx.xxx.xxx:620   *:*
root     mountd     725   8  tcp4   127.0.0.1:620         *:*
root     mountd     725   9  tcp4   xxx.xxx.xxx.xxx:620   *:*
root     rpcbind    690   6  udp4   127.0.0.1:111         *:*
root     rpcbind    690   7  udp4   xxx.xxx.xxx.xxx:111   *:*
root     rpcbind    690   8  udp4   *:750                 *:*  <-- !!
root     rpcbind    690   9  tcp4   127.0.0.1:111         *:*
root     rpcbind    690   10 tcp4   xxx.xxx.xxx.xxx:111   *:*
```


Can rpcbind be configured in a way, not to bind all IP adresses, even if it is difficult?
Using a jail, how can
a directory or 
a zfs-fs
 be exported, which are located outside the jail?


----------



## SirDice (Aug 22, 2014)

getopt said:
			
		

> Can rpcbind be configured in a way, not to bind all IP adresses, even if it is difficult?


That should now be possible. It wasn't in the past and rpcbind would just bind to all available IP addresses, including those of the host and other jails. But it now has a -h option:

```
-h bindip
             Specify specific IP addresses to bind to for TCP and UDP
             requests.  This option may be specified multiple times and is
             typically necessary when running on a multi-homed host.  If no -h
             option is specified, rpcbind will bind to INADDR_ANY, which could
             lead to problems on a multi-homed host due to rpcbind returning a
             UDP packet from a different IP address than it was sent to.  Note
             that when specifying IP addresses with -h, rpcbind will automati-
             cally add 127.0.0.1 and if IPv6 is enabled, ::1 to the list.
```



> Using a jail, how can
> 
> a directory or
> a zfs-fs
> ...


You can't. That's the whole purpose of a jail, you cannot access filesystems _outside_ of the jail. But, you can use nullfs(5) to mount the host's filesystem _inside_ the jail. Those can be exported.


----------



## kpa (Aug 22, 2014)

It looks like it uses another port (682) for outgoing traffic and that can not be changed, UDP is stateless and to send data the socket is bound exactly the same way as it was in case of listening for connections.


----------



## kpa (Aug 22, 2014)

With UDP you can't tell apart sockets that are used for sending or receiving (or both at the same time) because there is no direction or state involved. I'm only guessing that the port 682 is used for outgoing connections, the documentation doesn't really reveal what its purpose is.


----------

