From nobody@FreeBSD.org  Tue Aug  2 20:38:54 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5137216A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  2 Aug 2005 20:38:54 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 22EF643D48
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  2 Aug 2005 20:38:54 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j72Kcrdu046592
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 2 Aug 2005 20:38:54 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j72KcrVX046591;
	Tue, 2 Aug 2005 20:38:53 GMT
	(envelope-from nobody)
Message-Id: <200508022038.j72KcrVX046591@www.freebsd.org>
Date: Tue, 2 Aug 2005 20:38:53 GMT
From: Richard Bejtlich <taosecurity@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: rpcbind TCP cannot be told to bind to a specific IP 
X-Send-Pr-Version: www-2.3

>Number:         84494
>Category:       bin
>Synopsis:       rpcbind TCP cannot be told to bind to a specific IP
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    matteo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 02 20:40:08 GMT 2005
>Closed-Date:    Sat Jun 09 09:32:07 GMT 2007
>Last-Modified:  Sat Jun 09 09:32:07 GMT 2007
>Originator:     Richard Bejtlich
>Release:        5.4
>Organization:
TaoSecurity
>Environment:
FreeBSD janney.taosecurity.com 5.4-RELEASE FreeBSD 5.4-RELEASE #1: Wed Jun 22 15:28:12 EDT 2005     root@janney.taosecurity.com:/usr/obj/usr/src/sys/JANNEY  i386
>Description:
One cannot tell rpcbind(8) to listen on a specific IP address for TCP requests.  This functionality only exists for UDP requests, per the man page:


     -h      Specify specific IP addresses to bind to for UDP requests.  This
             option may be specified multiple times and is typically necessary
             when running on a multi-homed host.


>How-To-Repeat:
grep rpcbind /etc/rc.conf
rpcbind_enable="YES"
rpcbind_flags="-h 192.168.3.7"

/etc/rc.d/rpcbind start
Starting rpcbind.

sockstat -4 | grep rpcbind
root     rpcbind    82389 10 udp4   127.0.0.1:111         *:*
root     rpcbind    82389 11 udp4   192.168.3.7:111       *:*
root     rpcbind    82389 12 udp4   *:1010                *:*
root     rpcbind    82389 13 tcp4   *:111                 *:*
>Fix:
Please modify rpcbind(8) so it can bind to a specific IP for TCP and UDP requests.  The alternative, using a firewall to limit access, seems excessive!  Thank you.
>Release-Note:
>Audit-Trail:

From:   "Brian A. Seklecki" <bseklecki@mail.pub.collaborativefusion.com>
To: bug-followup@FreeBSD.org, taosecurity@gmail.com
Cc: Bill Moran <wmoran@collaborativefusion.com>, dd@freebsd.org,
  mbr@freebsd.org, alfred@freebsd.org
Subject: Re: bin/84494: rpcbind TCP cannot be told to bind to a specific IP
Date: Fri, 10 Mar 2006 17:13:39 -0500

 This is a MIME-formatted message.  If you see this text it means that your
 E-mail software does not support MIME-formatted messages.
 
 --=_wingspan-74575-1142028819-0001-2
 Content-Type: text/plain
 Content-Transfer-Encoding: quoted-printable
 
 [CC'ing the developer swho added -h and TCP support]
 
 In addition to the security implications for multi-homed systems that
 have public and private interfaces (and the implication for a software
 firewall), this is a serious impediment to creating system <-> service
 abstraction.=20
 
 In large environments where High Availability is a requirement, services
 are frequently "bound" to VIPs that can easily be moved from one system
 to another using Fail-over Management Software. =20
 
 In fact, all of the NFS related utilities are lacking in this facility,
 specifically, nfsd(8) and mountd(8).
 
 mountd(8) does feature a "-p" flag to specify the used to ensure a
 specific port is reused, thus helping to sanitize RPC/NFS in through a
 firewall, but lacks a "-h" flag.
 
 nfsd(8) also features a "-h" flag, but you cannot control the ports it
 chooses.
 
 
 ~BAS
 
 --=_wingspan-74575-1142028819-0001-2
 Content-Type: application/x-pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename=smime.p7s
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIHYDCCA6ww
 ggKUoAMCAQICAS4wDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5u
 c3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxIzAhBgNVBAoTGkNvbGxhYm9yYXRpdmUgRnVz
 aW9uLCBJbmMuMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIDAeBgNVBAMTF0NvbGxh
 Ym9yYXRpdmUgRnVzaW9uIENBMB4XDTA1MTIxOTIwMzkxM1oXDTA2MTIxOTIwMzkxM1owgbsxCzAJ
 BgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxIzAh
 BgNVBAoTGkNvbGxhYm9yYXRpdmUgRnVzaW9uLCBJbmMuMQ0wCwYDVQQLEwRCT0ZIMRowGAYDVQQD
 ExFCcmlhbiBBLiBTZWtsZWNraTEwMC4GCSqGSIb3DQEJARYhYnNla2xlY2tpQGNvbGxhYm9yYXRp
 dmVmdXNpb24uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkC6Fb+c77I+dm58TFxvOn
 BKaf4wug8K34V/zvjYdLVKRkEA+WLMb1/4shisJgEU9RXzoZ3wF3z+FaZKnSTCp79XF9pJ6ajmu+
 79rf6negRYKnHoxq4am95PEpFfwXFmuBm6nQMmJwL/6NwpoQInve5OB/bRVW5UMv4Q3R2QAMzwID
 AQABo1gwVjAsBgNVHREEJTAjgSFic2VrbGVja2lAY29sbGFib3JhdGl2ZWZ1c2lvbi5jb20wEQYJ
 YIZIAYb4QgEBBAQDAgSwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBAUAA4IBAQBB
 zoyBh9QR/Qj5kUSrwTTUMudk13CvidDh5O+vvlNrcwicqgiQcsJ8PQZ20ujiyzvJ97fFm13Bi02R
 oXlnDGpAaUR2AGJcJSgHDRoP5Qkkt/5OHp1s5uYEsBMkFnGJVcgIeEkg3MdKJD8EOaFXoHOVlfcf
 WQNB8vmk8GK+6dpDTm7yb9dK44R+D5Lky+kgNkJ/+s6G6oQKlR1NRkNfxRBwh33wE9+OUl2Cgx8c
 VzPPTeVTMcCAUPeJNa/gLk0X/oxCGMfyjBJSaEz8rb33xNJm5dl34/h49PrFf4pyMIiDslKwHopN
 JpkV9wDQZyYGJK9TMDVOWEvpERISIszjsmFRMIIDrDCCApSgAwIBAgIBLjANBgkqhkiG9w0BAQQF
 ADCBoDELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNi
 dXJnaDEjMCEGA1UEChMaQ29sbGFib3JhdGl2ZSBGdXNpb24sIEluYy4xHjAcBgNVBAsTFUNlcnRp
 ZmljYXRlIEF1dGhvcml0eTEgMB4GA1UEAxMXQ29sbGFib3JhdGl2ZSBGdXNpb24gQ0EwHhcNMDUx
 MjE5MjAzOTEzWhcNMDYxMjE5MjAzOTEzWjCBuzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5z
 eWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDEjMCEGA1UEChMaQ29sbGFib3JhdGl2ZSBGdXNp
 b24sIEluYy4xDTALBgNVBAsTBEJPRkgxGjAYBgNVBAMTEUJyaWFuIEEuIFNla2xlY2tpMTAwLgYJ
 KoZIhvcNAQkBFiFic2VrbGVja2lAY29sbGFib3JhdGl2ZWZ1c2lvbi5jb20wgZ8wDQYJKoZIhvcN
 AQEBBQADgY0AMIGJAoGBAOQLoVv5zvsj52bnxMXG86cEpp/jC6DwrfhX/O+Nh0tUpGQQD5YsxvX/
 iyGKwmART1FfOhnfAXfP4VpkqdJMKnv1cX2knpqOa77v2t/qd6BFgqcejGrhqb3k8SkV/BcWa4Gb
 qdAyYnAv/o3CmhAie97k4H9tFVblQy/hDdHZAAzPAgMBAAGjWDBWMCwGA1UdEQQlMCOBIWJzZWts
 ZWNraUBjb2xsYWJvcmF0aXZlZnVzaW9uLmNvbTARBglghkgBhvhCAQEEBAMCBLAwEwYDVR0lBAww
 CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEEBQADggEBAEHOjIGH1BH9CPmRRKvBNNQy52TXcK+J0OHk
 76++U2tzCJyqCJBywnw9BnbS6OLLO8n3t8WbXcGLTZGheWcMakBpRHYAYlwlKAcNGg/lCSS3/k4e
 nWzm5gSwEyQWcYlVyAh4SSDcx0okPwQ5oVegc5WV9x9ZA0Hy+aTwYr7p2kNObvJv10rjhH4PkuTL
 6SA2Qn/6zobqhAqVHU1GQ1/FEHCHffAT345SXYKDHxxXM89N5VMxwIBQ94k1r+AuTRf+jEIYx/KM
 ElJoTPytvffE0mbl2Xfj+Hj0+sV/inIwiIOyUrAeik0mmRX3ANBnJgYkr1MwNU5YS+kREhIizOOy
 YVExggMkMIIDIAIBATCBpjCBoDELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTET
 MBEGA1UEBxMKUGl0dHNidXJnaDEjMCEGA1UEChMaQ29sbGFib3JhdGl2ZSBGdXNpb24sIEluYy4x
 HjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEgMB4GA1UEAxMXQ29sbGFib3JhdGl2ZSBG
 dXNpb24gQ0ECAS4wCQYFKw4DAhoFAKCCAdMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
 hkiG9w0BCQUxDxcNMDYwMzEwMjIxMzM5WjAjBgkqhkiG9w0BCQQxFgQU8gB2SEyDFrwKIN/ud75O
 EUNj9U4wgbcGCSsGAQQBgjcQBDGBqTCBpjCBoDELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5z
 eWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDEjMCEGA1UEChMaQ29sbGFib3JhdGl2ZSBGdXNp
 b24sIEluYy4xHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEgMB4GA1UEAxMXQ29sbGFi
 b3JhdGl2ZSBGdXNpb24gQ0ECAS4wgbkGCyqGSIb3DQEJEAILMYGpoIGmMIGgMQswCQYDVQQGEwJV
 UzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMSMwIQYDVQQKExpD
 b2xsYWJvcmF0aXZlIEZ1c2lvbiwgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5
 MSAwHgYDVQQDExdDb2xsYWJvcmF0aXZlIEZ1c2lvbiBDQQIBLjANBgkqhkiG9w0BAQEFAASBgBZU
 cNx5PozTnbz2grMvc+9UwJf+SHv5g9xWAQI69aCnoaUqzqYy7UFHoXrlQKhx5HfC1Q1A0cwG4y1u
 9JkkYPCKM2b0ZOFTB7Nl8AMxbKuLdZpYH3KXM8eyyO596nAZtjaLGBJQR4+WXaLupArug8d/QUnQ
 H02vZIcW1Rhcu8+gAAAAAAAA
 
 
 --=_wingspan-74575-1142028819-0001-2--

From: Bruce M Simpson <bms@incunabulum.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc: Richard Bejtlich <taosecurity@gmail.com>
Subject: Re: bin/84494: rpcbind TCP cannot be told to bind to a specific IP
Date: Sun, 04 Feb 2007 18:33:38 +0000

 A patch for this would be great, guys!
 
 Regards,
 BMS
Responsible-Changed-From-To: freebsd-bugs->matteo 
Responsible-Changed-By: matteo 
Responsible-Changed-When: Tue Apr 3 08:32:37 UTC 2007 
Responsible-Changed-Why:  
Take this, as I'm working in this area 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84494 

From: Matteo Riondato <matteo@freebsd.org>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: bin/84494
Date: Fri, 20 Apr 2007 08:54:36 +0200

 --u3/rZRmxL6MmkK24
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 A patch is available at
 http://people.freebsd.org/~matteo/diff/rpcbind.diff
 
 I hope to commit it soon.
 
 Best Regards
 --=20
 Matteo Riondato
 FreeBSD Committer (http://www.freebsd.org)
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)
 
 --u3/rZRmxL6MmkK24
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.2 (FreeBSD)
 
 iD8DBQFGKGOs2Mp4pR7Fa+wRAqyeAJ0dlOqvRIft1B+yQRbAwuK+jmcWFACglqay
 mLaOa8RXC923tGB6GB6oPT4=
 =BH+c
 -----END PGP SIGNATURE-----
 
 --u3/rZRmxL6MmkK24--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/84494: commit references a PR
Date: Mon, 23 Apr 2007 07:09:34 +0000 (UTC)

 matteo      2007-04-23 07:09:25 UTC
 
   FreeBSD src repository
 
   Modified files:
     usr.sbin/rpcbind     rpcbind.8 rpcbind.c 
   Log:
   1)Make it possible for rpcbind(8) to bind TCP listening socket to an IP
   other than INADDR_ANY.
   
   2) Add the -6 option to specify "IPv6 only".
   
   Glanced at by: bms
   Requested by: bms [2]
   PR: bin/84494 [1]
   Approved by:    silence from maintainer (~2 weeks) [1]
   MFC after:      2 weeks
   
   Revision  Changes    Path
   1.10      +5 -3      src/usr.sbin/rpcbind/rpcbind.8
   1.15      +181 -238  src/usr.sbin/rpcbind/rpcbind.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: matteo 
State-Changed-When: Mon Apr 23 07:11:07 UTC 2007 
State-Changed-Why:  
A patch was committed to HEAD. I'll MFC it in 2 weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84494 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/84494: commit references a PR
Date: Sat,  9 Jun 2007 09:28:36 +0000 (UTC)

 matteo      2007-06-09 09:28:30 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     usr.sbin/rpcbind     rpcbind.8 rpcbind.c 
   Log:
   MFC:
           rpcbind.c: rev. 1.15, 1.16, 1.17
           rpcbind.8: rev. 1.10
   
   1)Make it possible for rpcbind(8) to bind TCP listening socket to an IP
   other than INADDR_ANY.
   
   2) Add the -6 option to specify "IPv6 only".
   
   PR:     84494, 1122566
   
   Revision  Changes    Path
   1.7.2.2   +5 -3      src/usr.sbin/rpcbind/rpcbind.8
   1.14.2.1  +223 -215  src/usr.sbin/rpcbind/rpcbind.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: matteo 
State-Changed-When: Sat Jun 9 09:31:47 UTC 2007 
State-Changed-Why:  
Fixed and merged to RELENG_6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84494 
>Unformatted:
