From 599e123ad47ff30d11eb91fd74262b5cf90d3257 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 30 May 2022 22:23:13 +0100
Subject: [PATCH] *.m4: Actually allow NFS to untrusted hosts.

Some NFS servers are configured to allow mounts from untrusted hosts,
but the firewall won't let them.  Fix this.
---
 jem.m4        | 5 +++++
 numbers.m4    | 3 +++
 roadstar.m4   | 5 +++++
 telecaster.m4 | 5 +++++
 4 files changed, 18 insertions(+)

diff --git a/jem.m4 b/jem.m4
index 5f79248..ecbed74 100644
--- a/jem.m4
+++ b/jem.m4
@@ -40,6 +40,11 @@ allowservices inbound tcp \
 	http https rsync \
 	git
 
+allowservices inbound-untrusted tcp \
+	sunrpc mount nfs
+allowservices inbound-untrusted udp \
+	sunrpc mount nfs
+
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
   run ip46tables -A inbound -j ACCEPT \
diff --git a/numbers.m4 b/numbers.m4
index 456ff84..32df339 100644
--- a/numbers.m4
+++ b/numbers.m4
@@ -36,6 +36,7 @@ defport bootpc 68
 defport tftp 69
 defport finger 79
 defport http 80
+defport sunrpc 111
 defport ident 113
 defport netbios_ns 137
 defport netbios_dgm 138
@@ -51,6 +52,7 @@ defport rsync 873
 defport ftps 990
 defport imaps 993
 defport h323 1720
+defport nfs 2049
 defport ssquid 3127
 defport squid 3128
 defport icp 3130
@@ -70,6 +72,7 @@ defport pgp_keys 11371
 defport i2p 16911
 defport disorder2 23598
 defport disorder 23599
+defport mount 32767
 defport udpkey 59274
 
 ## Protocol numbers.
diff --git a/roadstar.m4 b/roadstar.m4
index 5485d00..61b0aa9 100644
--- a/roadstar.m4
+++ b/roadstar.m4
@@ -33,6 +33,11 @@ allowservices inbound tcp \
 	rsync \
 	http https squid
 
+allowservices inbound-untrusted tcp \
+	sunrpc mount nfs
+allowservices inbound-untrusted udp \
+	sunrpc mount nfs
+
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
   run ip46tables -A inbound-untrusted -j ACCEPT \
diff --git a/telecaster.m4 b/telecaster.m4
index b9f1069..103d11b 100644
--- a/telecaster.m4
+++ b/telecaster.m4
@@ -34,6 +34,11 @@ allowservices inbound tcp \
 	rsync \
 	http https squid ssquid
 
+allowservices inbound-untrusted tcp \
+	sunrpc mount nfs
+allowservices inbound-untrusted udp \
+	sunrpc mount nfs
+
 run iptables -A inbound -j ACCEPT \
 	-p udp --destination-port $port_icp \
 	-m limit --limit 10/second --limit-burst 100
-- 
2.11.0