diff --git a/RELNOTES b/RELNOTES
--- a/RELNOTES
+++ b/RELNOTES
@@ -10,10 +10,19 @@
 
 Changes to this file should not be MFCed.
 
+xxxxxxxxxxxx:
+	The default value of the nfs_reserved_port_only rc.conf setting has
+	changed.  The FreeBSD NFS server now requires the source port of
+	requests to be in the privileged port range (i.e., <= 1023), which
+	generally requires the client to have elevated privileges on their local
+	system.  The previous behavior can be restored by setting
+	nfs_reserved_port_only=NO in rc.conf.
+
 aea973501b19:
 	ktrace(2) will now record detailed information about capability mode
 	violations. The kdump(1) utility has been updated to display such
 	information.
+
 f32a6403d346:
 	One True Awk updated to 2nd Edition. See https://awk.dev for details
 	on the additions. Unicode and CSVs (Comma Separated Values) are now
diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -386,7 +386,7 @@
 mountd_enable="NO"		# Run mountd (or NO).
 mountd_flags="-r -S"		# Flags to mountd (if NFS server enabled).
 weak_mountd_authentication="NO"	# Allow non-root mount requests to be served.
-nfs_reserved_port_only="NO"	# Provide NFS only on secure port (or NO).
+nfs_reserved_port_only="YES"	# Provide NFS only on secure port (or NO).
 nfs_bufpackets=""		# bufspace (in packets) for client
 rpc_lockd_enable="NO"		# Run NFS rpc.lockd needed for client/server.
 rpc_lockd_flags=""		# Flags to rpc.lockd (if enabled).