Another important thing is to ensure that nfsd checks that all it's requests comes from a privileged port. If it accepts requests from any old port on the client a user with no special privileges can run a program that's is easy to obtain over the Internet. It talks nfs protocol and will claim that the user is anyone the user wants to be. Spooky. The Linux nfsd does this check by default, on other OSes you have to enable this check yourself. This should be described in the nfsd man page for the OS.
Another thing. Never export a file system to 'localhost' or 127.0.0.1. Trust me.
The TCP ports 1-1024 are reserved for root's use (and therefore sometimes referred to as "secure ports") A non-root user cannot bind these ports. Adding the secure option to an /etc/exports means that it will only listed to requests coming from ports 1-1024 on the client, so that a malicious non-root user on the client cannot come along and open up a spoofed NFS dialogue on a non-reserved port. This option is set by default.
Use a reserved socket port number. This is useful for mounting
servers that require clients to use a reserved port number on the
mistaken belief that this makes NFS more secure. (For the rare
case where the client has a trusted root account but untrustwor-
thy users and the network cables are in secure areas this does
help, but for normal desktop clients this does not apply.)
如果沒有加這個的話,會出現 /Volumes/nfs: Permission Denied
或是在nfs server /etc/exports 加上 insecure