diff --git a/sbin/mountd/mountd.c b/sbin/mountd/mountd.c
index f09486396036..8039be821ad4 100644
--- a/sbin/mountd/mountd.c
+++ b/sbin/mountd/mountd.c
@@ -43,7 +43,7 @@ static char copyright[] =
 #ifndef lint
 /*static char sccsid[] = "@(#)mountd.c	8.15 (Berkeley) 5/1/95"; */
 static const char rcsid[] =
-	"$Id: mountd.c,v 1.13 1997/02/22 14:33:02 peter Exp $";
+	"$Id: mountd.c,v 1.14 1997/03/11 12:43:45 peter Exp $";
 #endif /*not lint*/
 
 #include <sys/param.h>
@@ -54,6 +54,7 @@ static const char rcsid[] =
 #include <sys/stat.h>
 #include <sys/syslog.h>
 #include <sys/ucred.h>
+#include <sys/sysctl.h>
 
 #include <rpc/rpc.h>
 #include <rpc/pmap_clnt.h>
@@ -63,6 +64,7 @@ static const char rcsid[] =
 #endif
 #include <nfs/rpcv2.h>
 #include <nfs/nfsproto.h>
+#include <nfs/nfs.h>
 #include <ufs/ufs/ufsmount.h>
 #include <msdosfs/msdosfsmount.h>
 #include <isofs/cd9660/cd9660_mount.h>	/* XXX need isofs in include */
@@ -255,6 +257,7 @@ main(argc, argv)
 #ifdef __FreeBSD__
 	struct vfsconf vfc;
 	int error;
+	int mib[3];
 
 	error = getvfsbyname("nfs", &vfc);
 	if (error && vfsisloadable("nfs")) {
@@ -314,6 +317,16 @@ main(argc, argv)
 		fclose(pidfile);
 	  }
 	}
+
+	mib[0] = CTL_VFS;
+	mib[1] = MOUNT_NFS;
+	mib[2] = NFS_NFSPRIVPORT;
+	if (sysctl(mib, 3, NULL, NULL,
+	    &resvport_only, sizeof(resvport_only)) != 0) {
+		syslog(LOG_ERR, "sysctl: %m");
+		exit(1);
+	}
+
 	if ((udptransp = svcudp_create(RPC_ANYSOCK)) == NULL ||
 	    (tcptransp = svctcp_create(RPC_ANYSOCK, 0, 0)) == NULL) {
 		syslog(LOG_ERR, "Can't create socket");
diff --git a/sys/nfs/nfs.h b/sys/nfs/nfs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfs/nfs.h
+++ b/sys/nfs/nfs.h
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs.h	8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
  */
 
 #ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
  * fs.nfs sysctl(3) identifiers
  */
 #define NFS_NFSSTATS	1		/* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT	2		/* int: prohibit nfs to resvports */
 
 #define FS_NFS_NAMES { \
 		       { 0, 0 }, \
 		       { "nfsstats", CTLTYPE_STRUCT }, \
+		       { "nfsprivport", CTLTYPE_INT }, \
 }
 
 /*
diff --git a/sys/nfs/nfs_syscalls.c b/sys/nfs/nfs_syscalls.c
index 83cd64dd9c9b..396dff88d13a 100644
--- a/sys/nfs/nfs_syscalls.c
+++ b/sys/nfs/nfs_syscalls.c
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs_syscalls.c	8.5 (Berkeley) 3/30/95
- * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
+ * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
  */
 
 #include <sys/param.h>
@@ -107,6 +107,10 @@ static void	nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
 			     int cacherep));
 static int	nfssvc_addsock __P((struct file *,struct mbuf *));
 static int	nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
+
+static int nfs_privport = 0;
+SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
+
 /*
  * NFS server system calls
  * getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
@@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
 			nd->nd_procnum = NFSPROC_NOOP;
 			nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
 			cacherep = RC_DOIT;
+		    } else if (nfs_privport) {
+			/* Check if source port is privileged */
+			u_short port;
+			u_long  addr;
+			struct mbuf *nam = nd->nd_nam;
+			struct sockaddr_in *sin;
+
+			sin = mtod(nam, struct sockaddr_in *);
+			port = ntohs(sin->sin_port);
+			if (port >= IPPORT_RESERVED) {
+			    nd->nd_procnum = NFSPROC_NOOP;
+			    nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
+			    cacherep = RC_DOIT;
+			    printf("NFS request from unprivileged port (%s:%d)\n",
+				   inet_ntoa(sin->sin_addr), port);
+			}
 		    }
+
 		}
 
 		/*
diff --git a/sys/nfsclient/nfs.h b/sys/nfsclient/nfs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsclient/nfs.h
+++ b/sys/nfsclient/nfs.h
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs.h	8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
  */
 
 #ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
  * fs.nfs sysctl(3) identifiers
  */
 #define NFS_NFSSTATS	1		/* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT	2		/* int: prohibit nfs to resvports */
 
 #define FS_NFS_NAMES { \
 		       { 0, 0 }, \
 		       { "nfsstats", CTLTYPE_STRUCT }, \
+		       { "nfsprivport", CTLTYPE_INT }, \
 }
 
 /*
diff --git a/sys/nfsclient/nfs_nfsiod.c b/sys/nfsclient/nfs_nfsiod.c
index 83cd64dd9c9b..396dff88d13a 100644
--- a/sys/nfsclient/nfs_nfsiod.c
+++ b/sys/nfsclient/nfs_nfsiod.c
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs_syscalls.c	8.5 (Berkeley) 3/30/95
- * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
+ * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
  */
 
 #include <sys/param.h>
@@ -107,6 +107,10 @@ static void	nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
 			     int cacherep));
 static int	nfssvc_addsock __P((struct file *,struct mbuf *));
 static int	nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
+
+static int nfs_privport = 0;
+SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
+
 /*
  * NFS server system calls
  * getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
@@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
 			nd->nd_procnum = NFSPROC_NOOP;
 			nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
 			cacherep = RC_DOIT;
+		    } else if (nfs_privport) {
+			/* Check if source port is privileged */
+			u_short port;
+			u_long  addr;
+			struct mbuf *nam = nd->nd_nam;
+			struct sockaddr_in *sin;
+
+			sin = mtod(nam, struct sockaddr_in *);
+			port = ntohs(sin->sin_port);
+			if (port >= IPPORT_RESERVED) {
+			    nd->nd_procnum = NFSPROC_NOOP;
+			    nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
+			    cacherep = RC_DOIT;
+			    printf("NFS request from unprivileged port (%s:%d)\n",
+				   inet_ntoa(sin->sin_addr), port);
+			}
 		    }
+
 		}
 
 		/*
diff --git a/sys/nfsclient/nfsargs.h b/sys/nfsclient/nfsargs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsclient/nfsargs.h
+++ b/sys/nfsclient/nfsargs.h
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs.h	8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
  */
 
 #ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
  * fs.nfs sysctl(3) identifiers
  */
 #define NFS_NFSSTATS	1		/* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT	2		/* int: prohibit nfs to resvports */
 
 #define FS_NFS_NAMES { \
 		       { 0, 0 }, \
 		       { "nfsstats", CTLTYPE_STRUCT }, \
+		       { "nfsprivport", CTLTYPE_INT }, \
 }
 
 /*
diff --git a/sys/nfsclient/nfsstats.h b/sys/nfsclient/nfsstats.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsclient/nfsstats.h
+++ b/sys/nfsclient/nfsstats.h
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs.h	8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
  */
 
 #ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
  * fs.nfs sysctl(3) identifiers
  */
 #define NFS_NFSSTATS	1		/* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT	2		/* int: prohibit nfs to resvports */
 
 #define FS_NFS_NAMES { \
 		       { 0, 0 }, \
 		       { "nfsstats", CTLTYPE_STRUCT }, \
+		       { "nfsprivport", CTLTYPE_INT }, \
 }
 
 /*
diff --git a/sys/nfsserver/nfs.h b/sys/nfsserver/nfs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsserver/nfs.h
+++ b/sys/nfsserver/nfs.h
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs.h	8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
  */
 
 #ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
  * fs.nfs sysctl(3) identifiers
  */
 #define NFS_NFSSTATS	1		/* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT	2		/* int: prohibit nfs to resvports */
 
 #define FS_NFS_NAMES { \
 		       { 0, 0 }, \
 		       { "nfsstats", CTLTYPE_STRUCT }, \
+		       { "nfsprivport", CTLTYPE_INT }, \
 }
 
 /*
diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c
index 83cd64dd9c9b..396dff88d13a 100644
--- a/sys/nfsserver/nfs_syscalls.c
+++ b/sys/nfsserver/nfs_syscalls.c
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs_syscalls.c	8.5 (Berkeley) 3/30/95
- * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
+ * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
  */
 
 #include <sys/param.h>
@@ -107,6 +107,10 @@ static void	nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
 			     int cacherep));
 static int	nfssvc_addsock __P((struct file *,struct mbuf *));
 static int	nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
+
+static int nfs_privport = 0;
+SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
+
 /*
  * NFS server system calls
  * getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
@@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
 			nd->nd_procnum = NFSPROC_NOOP;
 			nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
 			cacherep = RC_DOIT;
+		    } else if (nfs_privport) {
+			/* Check if source port is privileged */
+			u_short port;
+			u_long  addr;
+			struct mbuf *nam = nd->nd_nam;
+			struct sockaddr_in *sin;
+
+			sin = mtod(nam, struct sockaddr_in *);
+			port = ntohs(sin->sin_port);
+			if (port >= IPPORT_RESERVED) {
+			    nd->nd_procnum = NFSPROC_NOOP;
+			    nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
+			    cacherep = RC_DOIT;
+			    printf("NFS request from unprivileged port (%s:%d)\n",
+				   inet_ntoa(sin->sin_addr), port);
+			}
 		    }
+
 		}
 
 		/*
diff --git a/sys/nfsserver/nfsrvstats.h b/sys/nfsserver/nfsrvstats.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsserver/nfsrvstats.h
+++ b/sys/nfsserver/nfsrvstats.h
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs.h	8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
  */
 
 #ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
  * fs.nfs sysctl(3) identifiers
  */
 #define NFS_NFSSTATS	1		/* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT	2		/* int: prohibit nfs to resvports */
 
 #define FS_NFS_NAMES { \
 		       { 0, 0 }, \
 		       { "nfsstats", CTLTYPE_STRUCT }, \
+		       { "nfsprivport", CTLTYPE_INT }, \
 }
 
 /*
diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c
index f09486396036..8039be821ad4 100644
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@@ -43,7 +43,7 @@ static char copyright[] =
 #ifndef lint
 /*static char sccsid[] = "@(#)mountd.c	8.15 (Berkeley) 5/1/95"; */
 static const char rcsid[] =
-	"$Id: mountd.c,v 1.13 1997/02/22 14:33:02 peter Exp $";
+	"$Id: mountd.c,v 1.14 1997/03/11 12:43:45 peter Exp $";
 #endif /*not lint*/
 
 #include <sys/param.h>
@@ -54,6 +54,7 @@ static const char rcsid[] =
 #include <sys/stat.h>
 #include <sys/syslog.h>
 #include <sys/ucred.h>
+#include <sys/sysctl.h>
 
 #include <rpc/rpc.h>
 #include <rpc/pmap_clnt.h>
@@ -63,6 +64,7 @@ static const char rcsid[] =
 #endif
 #include <nfs/rpcv2.h>
 #include <nfs/nfsproto.h>
+#include <nfs/nfs.h>
 #include <ufs/ufs/ufsmount.h>
 #include <msdosfs/msdosfsmount.h>
 #include <isofs/cd9660/cd9660_mount.h>	/* XXX need isofs in include */
@@ -255,6 +257,7 @@ main(argc, argv)
 #ifdef __FreeBSD__
 	struct vfsconf vfc;
 	int error;
+	int mib[3];
 
 	error = getvfsbyname("nfs", &vfc);
 	if (error && vfsisloadable("nfs")) {
@@ -314,6 +317,16 @@ main(argc, argv)
 		fclose(pidfile);
 	  }
 	}
+
+	mib[0] = CTL_VFS;
+	mib[1] = MOUNT_NFS;
+	mib[2] = NFS_NFSPRIVPORT;
+	if (sysctl(mib, 3, NULL, NULL,
+	    &resvport_only, sizeof(resvport_only)) != 0) {
+		syslog(LOG_ERR, "sysctl: %m");
+		exit(1);
+	}
+
 	if ((udptransp = svcudp_create(RPC_ANYSOCK)) == NULL ||
 	    (tcptransp = svctcp_create(RPC_ANYSOCK, 0, 0)) == NULL) {
 		syslog(LOG_ERR, "Can't create socket");