Date: Mon, 18 Jun 2001 09:10:33 -0600 From: Randy Smith <randys@amigo.net> To: anderson@centtech.com Cc: freebsd-isp <freebsd-isp@freebsd.org>, freebsd-security <freebsd-security@freebsd.org> Subject: Re: Require IPsec for NFS Message-ID: <3B2E19E9.9020100@amigo.net> References: <3B2E10A1.5000302@amigo.net> <3B2E14DA.C2819177@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric Anderson wrote: > When adding your spd's, you can restrict to port numbers and ip > addresses. > Check out 'man setkey, and look for 'dst_range'. That should get you > started. I'm currently setup to encrypt all traffic between the two hosts. I want to make sure that if a cracker gets past the protection from hosts.allow, he still has to deal with the IPsec to hijack/screw with the connection. Thanks for the response. Randy > > Eric > > > Randy Smith wrote: > >>Hi all, >> >>I have a server that I want to mirror. I'm using NFS to connect the >>primary server to the mirror. The mirror is the NFS server and the >>primary server is the only IP address allowd to connect to portmap in >>/etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I >>have IPsec setup between the hosts to authenticate the packets. That >>seems to prevent IP spoofing. >> >>I want to know if it is possible to require all NFS connections to use >>IPsec or will this setup a reasonable way to protect NFS? >> >>-- >>Randy Smith >>Amigo.Net Systems Administrator >>1-719-589-6100 x 4185 >>http://www.amigo.net/ >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B2E19E9.9020100>