Hello. I followed the instructions on many websites to wrap NFS4 in SSH
so that to the nfs daemon it is a local mount.

The NFS server is on a public server. Besides the option to use a
firewall, I wonder if it is possible the nfs server can be configured to
only listens to localhost, like most mysql daemon is configured to, to
enhance security.

I tried to look up manual for nfsd which says:

-H or --host hostname
specify a particular hostname (or address) that NFS requests
will be accepted on. By default, rpc.nfsd will accept NFS
requests on all known network addresses. Note that lockd (which
performs file locking services for NFS) may still accept request
on all known network addresses. This may change in future
releases of the Linux Kernel.

This almost hints -H is equal to --bind of many other daemons. I added
this to the call of nfsd in /etc/init.d/nfs-kernel-server (a debian box)
and restarted the service. Result not good:

# netstat -tl | grep nfs
tcp 0 0 *:nfs *:* LISTEN

where I expected

# netstat -tl | grep nfs
tcp 0 0 localhost:nfs *:* LISTEN

Question is how and can nfs-kernel-server of Linux bind to localhost?