From owner-freebsd-isp Mon Jun 18 10:50:20 2001 Delivered-To: freebsd-isp@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 980A937B403; Mon, 18 Jun 2001 10:50:14 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA29485; Mon, 18 Jun 2001 09:49:18 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma029481; Mon, 18 Jun 01 09:48:57 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA24949; Mon, 18 Jun 2001 09:48:57 -0500 (CDT) Message-ID: <3B2E14DA.C2819177@centtech.com> Date: Mon, 18 Jun 2001 09:48:58 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Randy Smith Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: Re: Require IPsec for NFS References: <3B2E10A1.5000302@amigo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When adding your spd's, you can restrict to port numbers and ip addresses. Check out 'man setkey, and look for 'dst_range'. That should get you started. Eric Randy Smith wrote: > > Hi all, > > I have a server that I want to mirror. I'm using NFS to connect the > primary server to the mirror. The mirror is the NFS server and the > primary server is the only IP address allowd to connect to portmap in > /etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I > have IPsec setup between the hosts to authenticate the packets. That > seems to prevent IP spoofing. > > I want to know if it is possible to require all NFS connections to use > IPsec or will this setup a reasonable way to protect NFS? > > -- > Randy Smith > Amigo.Net Systems Administrator > 1-719-589-6100 x 4185 > http://www.amigo.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message