From owner-freebsd-security Mon Jun 18 7:30:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.amigo.net (smtp1.amigo.net [209.94.64.30]) by hub.freebsd.org (Postfix) with ESMTP id AB79E37B401; Mon, 18 Jun 2001 07:30:49 -0700 (PDT) (envelope-from randys@amigo.net) Received: from amigo.net (billing.amigo.net [209.94.67.250]) by smtp1.amigo.net (8.11.2/8.11.2) with ESMTP id f5IEVh495574; Mon, 18 Jun 2001 08:31:43 -0600 (MDT) (envelope-from randys@amigo.net) Message-ID: <3B2E10A1.5000302@amigo.net> Date: Mon, 18 Jun 2001 08:30:57 -0600 From: Randy Smith Organization: Amigo.Net User-Agent: Mozilla/5.0 (X11; U; FreeBSD 4.3-STABLE i386; en-US; rv:0.9.1+) Gecko/20010525 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-isp@freebsd.org Cc: freebsd-security@freebsd.org Subject: Require IPsec for NFS Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I have a server that I want to mirror. I'm using NFS to connect the primary server to the mirror. The mirror is the NFS server and the primary server is the only IP address allowd to connect to portmap in /etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I have IPsec setup between the hosts to authenticate the packets. That seems to prevent IP spoofing. I want to know if it is possible to require all NFS connections to use IPsec or will this setup a reasonable way to protect NFS? -- Randy Smith Amigo.Net Systems Administrator 1-719-589-6100 x 4185 http://www.amigo.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message