{"description": "Firewalling should be done at each host and at the border\nfirewalls to protect the NFS daemons from remote access, since NFS servers\nshould never be accessible from outside the organization. However, by default\nfor NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port\ndynamically at service startup time. Dynamic ports cannot be protected by port\nfiltering firewalls such as <tt>iptables</tt>.\n<br /><br />\nTherefore, restrict each service to always use a given port, so that\nfirewalling can be done effectively. Note that, because of the way RPC is\nimplemented, it is not possible to disable the RPC Bind service even if ports\nare assigned statically to all RPC services.\n<br /><br />\nIn NFSv4, the mounting and locking protocols have been incorporated into the\nprotocol, and the server listens on the the well-known TCP port 2049. As such,\nNFSv4 does not need to interact with the <tt>rpcbind, lockd, and rpc.statd</tt>\ndaemons, which can and should be disabled in a pure NFSv4 environment. The\n<tt>rpc.mountd</tt> daemon is still required on the NFS server to setup\nexports, but is not involved in any over-the-wire operations.", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["nfs_fixed_lockd_tcp_port", "nfs_fixed_lockd_udp_port", "nfs_fixed_mountd_port", "nfs_fixed_statd_port"], "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/group.yml"}