rpcbind is new portmap or how to make nfs secure

I was installing NFS server on otherwise public host recently, and noticed that conventional wisdom about securing NFS server is somewhat dated. My goal was to expose NFS on two internal interfaces without exposing it to whole wide Internet (assumptions about network security changed a lot since NFS was designed, sadly).

For a start, you are probably running rpcbind instead of portmap on recent Debian installations. So you will need to modify flags which are passed to portmap on startup:

root@rsync1:~# cat /etc/default/rpcbind 
OPTIONS="-w -l -h -h"
You will also need to add following line:
root@rsync1:~# grep rpcbind /etc/hosts.deny 
rpcbind: ALL
Now you will notice that rpcinfo -p still works OK on localhost. That's because rpcbind will always add loopback address, so we have to test it from another machine:
root@rsync1-dev:~# rpcinfo -p
rpcinfo: can't contact portmapper: RPC: Authentication error; why = Client credential too weak
That's more like it! If we take a look in log...
root@rsync1:~# tail -1 /var/log/auth.log
May  8 20:31:51 rsync1 rpcbind: connect from to dump(): request from unauthorized host
...we don't even have to guess local system IP adress. We'll allow this host to connect with...
root@rsync1:~# grep rpcbind /etc/hosts.allow 
We can also check our tcp wrappers configuration with:
root@rsync1:~# tcpdmatch rpcbind
client:   address
server:   process  rpcbind
access:   granted