>Sun's NFS implementation always used TCP as well as UDP -- a better >idea would be to block portmapper (111 udp/tcp) as well as NFS --- >but it depends on how paranoid you wish to be. Sun's NFS implementation has never used TCP, only UDp. Mountd does use TCP. >Blocking tcp/udp 2049 will not prevent *ALL* NFS attacks -- you might still >be able to get the fh's through source routed requests to rpc.mountd (which >might run on TCP & UDP ports), but it won't give you any access -- you can never >retrieve any data, because you can't get a reply send back to you (you'd >need to fake the src address to get a reply, but you won't pass the filters >if you want the reply.. UDP doesn't have an IP_OPTIONS, thus doesn't support >source routing.) > >if NFS is filtered at the router, you will be able to send "unlink" requests >(using the fh's you have) but it will only cause damage, which is still >dangerous enough. Not necessarily. If you block all requests destined for port 2049 in an inbound filter, faked packets won't get through, no matter what the source address is. Casper