Date: Wed, 26 Jan 2005 10:14:30 +0100 From: cpghost <cpghost@cordula.ws> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: Restricting NFS daemons Message-ID: <41F75F76.5030900@cordula.ws> In-Reply-To: <41F6B3AA.8060608@mac.com> References: <41F640BA.2040707@cordula.ws> <41F6B3AA.8060608@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > cpghost wrote: > >> how can one configure NFS daemons (esp. mountd and rpcbind) so that >> they listen only on one IP address (e.g. on 192.168.1.1)? > > > While some of the daemons are growing flags to bind only to specified > addresses, it turns out to be unwise to depend on that capability > alone to protect a fileserver. If you want to do NFS securely, you > need to protect the network by using a firewall which prevents > source-routing and address spoofing of internal hosts. > I know this is the default action in most scenarios. However, in this very special case, using a packet filter is not an option. The host is multi-homed, so a lot of address spoofing and source routing tricks are not that easy anyway (though certainly not impossible, due to the intricacies of NAT). It would be nice if at least rpcbind honored its -h flag and mountd grew its own flag to bind(2) to specific addresses. It's perhaps just a few lines of code; I'll have to dive into that socket API though... :). Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41F75F76.5030900>