From owner-freebsd-questions@FreeBSD.ORG Sun Jul 4 12:48:07 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6F7916A4CE for ; Sun, 4 Jul 2004 12:48:07 +0000 (GMT) Received: from enterprise.thenetnow.com (enterprise.thenetnow.com [65.39.193.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A44E43D3F for ; Sun, 4 Jul 2004 12:48:07 +0000 (GMT) (envelope-from gpeel@thenetnow.com) Received: from grant (hpeel.ody.ca [216.240.12.2])i64CeSA81604; Sun, 4 Jul 2004 08:40:28 -0400 (EDT) (envelope-from gpeel@thenetnow.com) Message-ID: <00b901c461c5$1d265700$6601a8c0@grant> From: "Grant Peel" To: References: <00ba01c460fe$d9cae910$6601a8c0@grant> <40E6FBF2.1060201@mac.com> <002301c46153$9302a360$6601a8c0@grant> <20040704011213.AB4694AC36@fw.farid-hajji.net> Date: Sun, 4 Jul 2004 08:47:49 -0400 Organization: The Net Now MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 cc: freebsd-questions@freebsd.org Subject: Re: NFS and Backups X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Grant Peel List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2004 12:48:07 -0000 Hmm, Perhaps a complete layout and network explanations is in order here.... - I have a total of 5 servers, all running freebsd. - All servers have two NICS, 1 LAN and 1 WAN, all are hardwired to my switch. (No wireless involved. - The switch IS configured to allow WAN access to WAN ports only, and LAN access to LAN ports only. - WAN is using serveral hundered IPS on serveral subnets. LAN is using a single ssubnet of 254 (using the 192.168 scema). -The servers are locked in a very secure cage, accesssable by me, my partner (who never goes there), and a bonded network technician. - Peerl 1 is the Colo provider (In the Toronto NOC). - Two of my servers are our primary and secondary nameservers. The other three use those nameservers excelusively. - The hosts files include two names for each server, the fully qualified domain i.e. "machine1.mydomain.com" and the LAN name which is just the local machine name i.e. "machine1" - The exports files use the local machine name only i.e. "/backups -alldirs -maproot=0 machine1 machine2 ..." -Just to be clear, each machine is plugged directly into the main switch shown below, no hubs or anything in between. Here is the layout: POP | | | Perr1 Router------------------------------- | __________________My Switch (Dell 3324)______________ | | | | | | | | | | Lan Wan Lan Wan Lan Wan Lan Wan Lan Wan Machine1 Machine2 Machine3 Machine4 Machine5 ----- Original Message ----- From: "cpghost" To: Cc: ; Sent: Saturday, July 03, 2004 9:12 PM Subject: Re: NFS and Backups > > > > I have recently decided to use some extra disk space on one of my > > servers as > > > > backup space. I have NFS client and Servers running OK, but was > > wondering how > > > > secure it really is. > > > > > > NFS is not secure at all. If you don't trust the local subnet, don't use > > NFS > > > there. Certainly don't use NFS across the Internet, unless using a secure > > > tunnelling/VPN protocol.... > > > > So, If I set the exports so that it used 192.168.x.x, and, my managed switch > > is only set to alow members of my vlan to use those IPs, I should be OK in > > that case? > > Careful here! If you have a WLAN access point hooked to your switch, > you're still vulnerable to war driving. Even if you don't use wireless > LAN, you still have to be sure that the client can't be replaced > with a rogue machine without you immediately knowing it (it happens > in real life more frequently than you think, esp. in big offices > with lots of computers). If you could avoid NFS for backups, then > by all means, you should try. As said, building reliable backup/restore > as well as ad hoc file swapping schemes on top of scp and ssh is a tried > and quite secure method. > > -- > Cordula's Web. http://www.cordula.ws/ > >