Re: securing a network with nfs

From: Corey Steele (
Date: 08/13/01

Message-Id: <>
Date: Mon, 13 Aug 2001 07:51:57 -0500
From: "Corey Steele" <>
To: "<" <>
Subject: Re: securing a network with nfs

I would see the following as being ideal for your situation...

    (private LAN)

The firewall has two interfaces, one to the DMZ, and one to the private LAN.

The DMZ should be configured with IP forwarding and packet filtering, so mail trafic and web, etc. all make it through the firewall unmolested, but requests to your NFS servers don't... of course, this only protects you at the service level. You can configure NFS a little more securly too, by:
1) use the noexec and nosuid options on all exported filesystems on the NFS server.
2) use only IPs in /etc/exports
3) read; its not OpenBSD specific, but it does a really good job touching on NFS security.

The private LAN interface should be configured with NAT and stateful packet filtering to hide all your inside machines.

If your backup solution is network-based and thus would need to be able to contact the NFS server directly, then you could setup a static rule to permit that through your firewall.

Best Regards,

<<<< This is in reply to a post by David Johnson which said.... >>>>

As my small isp expands, we need to move to a centralized file storage
point (easier backups; also, if the mail server goes down, I want to be
able to toss on another box quick without having to grab the files from
the old server or backups of it; this can also lead to multiple
mailservers receiving at different priorities). The obvious solution is
NFS. But to run an NFS box out open on the net, not in a dmz, is rather
dangerous IMO. And setting up one firewall to hide all boxes behind is
hard to do (especially with ftp), and it's a choke point.

Corey J. Steele, Security Analyst
Good Samaritan Society
voice: (605) 362-3899