Date: Wed, 03 Nov 1999 12:32:44 -0700 From: "Juan Lorenzana" <lorenzaj@agcs.com> To: hackers@FreeBSD.org, freebsd-questions@FreeBSD.org, lorenzaj@agcs.com Subject: nfs cookie spoofing patch Message-ID: <38208DDC.297EE98B@agcs.com>
next in thread | raw e-mail | index | archive | help
--------------BA97B6A29F094849AF58B65D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I was wondering if I could get some help. I am running a FreeBSD 2.2.8 machine configured as a nfs server. We are trying to get another machine running 2.2.8 to mount from the nfs server. Our challenge is that we are using a virtual ip and would like to mount the virtual ip. We are already doing this with SCO unix as well as Sun Solaris. The problem is that when I type mount -t argonnfs:/u /u (I have also tried with -o -i,-s,-r=1024,-w=1024 options and all permutation of the options, including mount_nfs -T) I'll hang waiting for the request to time out. After extensive trouble shooting, I think it is because of the "security feature" to prevent NFS cookie spoofing based attacks. Basically, there is an nfs check that will not allow freebsd nfs client to request an nfs mount and have the machine where the nfs request is being made to reply with its real ip instead of the virtual. It is as if freebsd hangs becuase the reply for the mount came from a second ip address. Please reference the following url from Terry Lambert. I tried to find the patch that was mentioned in the url, but could not. http://www.freebsd.org/cgi/mid.cgi?db=irt&id=Pine.BSF.3.91.961031140040.536K-100000@dyslexic.phoenix.net Can anyone help me or point me in the right direction. I would like to disable the nfs check or find a work around. The reason we use the virtual ip address is because we have designed some failover code that allows us to failover nfs in about 3 seconds, from one system to another. By passing the virtual ip around from one machine to another, all the machine that had mounted the filesystem never really notice an outage. With a RAID attached and exporting the filesystem, we can achieve high availability of data (not quite fault tolerant, but getting there). Any help is appreciated. Thanks. Regards, -- Juan Lorenzana AG Communication Systems Phoenix, AZ 602-582-7442 lorenzaj@agcs.com --------------BA97B6A29F094849AF58B65D Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <HTML> I was wondering if I could get some help. <P>I am running a FreeBSD 2.2.8 machine configured as a nfs server. We are trying to get another machine running 2.2.8 to mount from the nfs server. Our challenge is that we are using a virtual ip and would like to mount the virtual ip. We are already doing this with SCO unix as well as Sun Solaris. The problem is that when I type <P>mount -t argonnfs:/u /u <BR>(I have also tried with -o -i,-s,-r=1024,-w=1024 options and all permutation of the options, including mount_nfs -T) <P>I'll hang waiting for the request to time out. After extensive trouble shooting, I think it is because of the "security feature" to prevent NFS cookie spoofing based attacks. Basically, there is an nfs check that will not allow freebsd nfs client to request an nfs mount and have the machine where the nfs request is being made to reply with its real ip instead of the virtual. It is as if freebsd hangs becuase the reply for the mount came from a second ip address. Please reference the following url from Terry Lambert. I tried to find the patch that was mentioned in the url, but could not. <BR> <A HREF="http://www.freebsd.org/cgi/mid.cgi?db=irt&id=Pine.BSF.3.91.961031140040.536K-100000@dyslexic.phoenix.net">http://www.freebsd.org/cgi/mid.cgi?db=irt&id=Pine.BSF.3.91.961031140040.536K-100000@dyslexic.phoenix.net</A>; <P>Can anyone help me or point me in the right direction. I would like to disable the nfs check or find a work around. The reason we use the virtual ip address is because we have designed some failover code that allows us to failover nfs in about 3 seconds, from one system to another. By passing the virtual ip around from one machine to another, all the machine that had mounted the filesystem never really notice an outage. With a RAID attached and exporting the filesystem, we can achieve high availability of data (not quite fault tolerant, but getting there). <P>Any help is appreciated. Thanks. <P>Regards, <P>-- <BR>Juan Lorenzana <BR>AG Communication Systems <BR>Phoenix, AZ <P>602-582-7442 <BR>lorenzaj@agcs.com <BR> </HTML> --------------BA97B6A29F094849AF58B65D-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38208DDC.297EE98B>