From owner-freebsd-doc@FreeBSD.ORG Tue Mar 3 16:40:51 2009 Return-Path: Delivered-To: doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D553F106566B for ; Tue, 3 Mar 2009 16:40:51 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 63BCD8FC1F for ; Tue, 3 Mar 2009 16:40:51 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: by nf-out-0910.google.com with SMTP id d21so390826nfb.33 for ; Tue, 03 Mar 2009 08:40:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=0cmTgECxAdyUHHiawCi0Xz81MVd1PUR+bZt9Gn66rnM=; b=j38jbpGfoDhHaiex1HjITyj7fQbkD3x01YJyUOpY0gslmSqsGvNuhNzc3VegJh3CZS nzthjUzAeYBTmWDhpjTFkchZs+wkyRJYv7df0W5Do6dH2SJ8IBu8jsU4dVDij6ri/Pyd SMQGVbK0qa+YCRLX3OMPH7QWPFuLOqzFpJMb4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=IS4QXP0TInLlxedQOR0DRI8SiWn1sLdSSCMag6KA3wQ2qhUKd9oI3YxfbR9tuSjnSe eCCk+3d9KxlRZomuoaxJr9y8NzfSSm3u40CJXXI8I2/Q0ME+7kYivv5Rgupw1FdltG1y lugFiNsHtSypRkgJ28IeavF1WHgTvPEPmKshA= Received: by 10.216.18.82 with SMTP id k60mr286952wek.118.1236096654999; Tue, 03 Mar 2009 08:10:54 -0800 (PST) Received: from atlantis.dyndns.org (athedsl-4490552.home.otenet.gr [94.71.81.64]) by mx.google.com with ESMTPS id 7sm2238087eyg.57.2009.03.03.08.10.53 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 03 Mar 2009 08:10:54 -0800 (PST) Message-ID: <49AD568B.10201@gmail.com> Date: Tue, 03 Mar 2009 18:10:51 +0200 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.17 (X11/20081011) MIME-Version: 1.0 To: Lazaro Daniel Salem , mailto:lazaro.d.salem@gmail.com References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: doc@FreeBSD.org Subject: Re: FreeBSD Jumpstart Guide X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2009 16:40:52 -0000 Lazaro Daniel Salem wrote: > Hi! > > In this very nice article > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pxe/article.html > > it is said: > > Warning!!: This procedure will make the "Server" both insecure and > dangerous, it is best to just keep the "Server" on its own hub and not > in any way accessible by any machines other than the "Clients". > > > I assume exporting NFS to the whole (sub)network and running tftp makes > the system more vulnerable though I am not sure I remember all the > details. Just by reading the article (and not ever having performed this) it seems this is the insecure part: (/etc/exports) /usr -alldirs -ro This is exporting to the whole world - in theory someone from the Internet could mount it. It would be a lot safer if it where: /usr -network 10.8.253.0 -mask 255.255.255.0 -alldirs -ro (using the network the author provides in the sample dhcpd.conf) In theory DHCP would assign you an address that would have access to this, and you would not have to share /usr to the entire planet. I don't know if I am overlooking something though.