rpcbind - is there really no way to make the tcp ports bind to a specific interface / can nfs be ran without rpcbind?

We would like to move away from sshfs to nfs.

The last thing holding us back is the fact that rpcbind (which I assume is required for nfs to work) does not allow you to specify the TCP (not UDP) IP that it binds to.

There is the -h flag, but this is only for the UDP ports it opens up. this does not affect the TCP ports, they still open on 0.0.0.0:...

Does anyone know how we can secure rpcbind by not exposing it to our public interface?

Or even better, is there a way to use nfs without rpcbind?

Thanks!

The rpcbind is required to map RPC service to network ( read TCP or UDP ) address and port. NFS versions 2 and 3 require an additional service mountd to allow clients to get initial file handle. While nfs has a well know port number 2049, mountd doesn't. IOW, if you want to use NFSv3 you will need to run rpcbind as well (well, there are probably some mount options to tell where mound is running). In opposite to v3, NFSv4 requires only single port 2049 and does not need mountd at all. This makes rpcbind free NFS setup possible. Just be aware, that some (old) clients may still try to talk to rpcbind even for v4.

Now, about rpcbind. Why you want to protect it? If it's not available to clients, then they cant mount? The only reason to protect is to limit number of clients which can do updates. But this is already in place as rpcbind uses unix domain socket and disallow any remote client perform updates. Even on a local host you need to be root for that. If you want to protect from some clients only, then iptables is your friend (or what ever firewall your OS has):

# iptables -A INPUT -s 10.1.2.0/24 -p tcp --dport 111 -j ACCEPT
# iptables -A INPUT -s 10.1.3.0/24 -p udp --dport 111 -j ACCEPT
# iptables -A INPUT -p tcp --dport 111 -j DROP
# iptables -A INPUT -p udp --dport 111 -j DROP