Date: Mon, 18 Jun 2001 10:58:01 -0600 From: Randy Smith <randys@amigo.net> To: Paul Khavkine <paul@colba.net> Cc: freebsd-isp@freebsd.org Subject: Re: Require IPsec for NFS Message-ID: <3B2E3319.3040700@amigo.net> References: <3B2E10A1.5000302@amigo.net> <3B2E4C00.C9288AEC@colba.net> <3B2E177A.3000908@amigo.net> <3B2E542B.142C8295@colba.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Khavkine wrote: > Well if you dont know in advance what IP of the connecting machine that would > be more tricky. It is at that. I know the IP of the server that's talking to the mirror and I did my best to lock out connections to portmap and NFS trough host.allow to all but that box. The catch is, and we all should know this, NFS as security issues. I want to do my best to limit the risk and still get the functionality. I know that none of my other boxes will be connecting. I just want to make sure that no one else does either. > I have only started readin up on it on the weekend because i want to use SSH > Sentinel for VPN connections with dynamic IP's. > You'll probably have to use certificates and force all NFS (port 2049, i think) > and portmap traffic to go > over IPSec. > > I'll be reading up on this in next few days, so i'll let you know what i find. > I might use that for NIS. > > Thanx > Paul > > Randy Smith wrote: > > >>Paul Khavkine wrote: >> >> >>>You'll have to probably use IPSec for all traffic between the 2 boxen. >>>Check out this HOWTO: >>> >>I have that setup already. >> >>I re-read my first post and I left out some info so let me clarify a >>bit. I want to make sure that if a remote (possibly unknown) machine >>tries to make an NFS connection, it must do it over IPsec. Pormmap >>"should" refuse connections from all but the specified IP but if that is >>spoofed (or otherwise compromized), I want to make sure that the >>connection must use IPsec to authenticate the connection, etc. (You >>know, all the good things that IPsec is supposed to do.) >> >>Thanks for the help. >> >>Randy >> >> >>>http://ezine.daemonnews.org/200101/ipsec-howto.html >>> >>ps . As an aside, I went right to the Handbook (Chpt 8.9) for docs on IPsec. >> >> >>>Cheers >>>Paul >>> >>> >>>Randy Smith wrote: >>> >>> >>> >>>>Hi all, >>>> >>>>I have a server that I want to mirror. I'm using NFS to connect the >>>>primary server to the mirror. The mirror is the NFS server and the >>>>primary server is the only IP address allowd to connect to portmap in >>>>/etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I >>>>have IPsec setup between the hosts to authenticate the packets. That >>>>seems to prevent IP spoofing. >>>> >>>>I want to know if it is possible to require all NFS connections to use >>>>IPsec or will this setup a reasonable way to protect NFS? >>>> >>>>-- >>>>Randy Smith >>>>Amigo.Net Systems Administrator >>>>1-719-589-6100 x 4185 >>>>http://www.amigo.net/ >>>> >>>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>>with "unsubscribe freebsd-isp" in the body of the message >>>> >>>> >>>-- >>>************************************************* >>>Paul Khavkine >>>Network Administrator >>>Distributel Communications >>>740 Notre Dame West, Suite 1135 >>>Montreal, Quebec, Canada, H3C 3X6 >>>1-514-877-0064 >>> >>> >>> >>> >>> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-isp" in the body of the message >> > > -- > ************************************************* > Paul Khavkine > Network Administrator > Distributel Communications > 740 Notre Dame West, Suite 1135 > Montreal, Quebec, Canada, H3C 3X6 > 1-514-877-0064 > > > > -- Randy Smith Amigo.Net Systems Administrator 1-719-589-6100 x 4185 http://www.amigo.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B2E3319.3040700>