RE: NFS Over Private Network
From: Randy Williams (randyw_at_techsource.com)
To: <email@example.com> Date: Thu, 25 Mar 2004 11:31:20 -0500
I may be off the mark here, but if your NFS configuration isolates the NFS
shares to a significant degree (hosts, users, etc) then only the NFS daemon
would be the weak spot (within the scope of NFS of course, if the host NFS
server is compromised via a security weakness, then this goes out the
Or, thinking out loud, would the "mount" command betray you, as it would
publish all directories/mount points being published on the target machine.
Is there any way to prevent mount, iostat, netstat or any other I/O
measurement from giving the mount away?
Am I chasing rabbits?
From: Thomas Lindsay [mailto:firstname.lastname@example.org]
Sent: Wednesday, March 24, 2004 11:53 PM
To: Leeds, Daniel
Cc: 'Michael Wright'; email@example.com
Subject: RE: NFS Over Private Network
To what degree does this solution *protect* the share itself? Is there a
way to tie the server share to a given interface, or better yet, bind nfsd
itself to a specific interface? Call me paranoid, but I don't trust the
builtin security mechanisms of nfs too far, especially considering the
vulnerability rates of some Solaris rpc services in recent years.
If nfsd cannot be specifically bound to a given interface (and hence not
bound to others), then a private network between two machines will serve
only to prevent man-in-the-middle types of attacks but still leaves the
data vulnerable to any attack on the nfs server itself through the public
UNIX systems administrator
Social Science Research Facility
University of Minnesota
On Wed, 24 Mar 2004, Leeds, Daniel wrote:
> should be simple. you can either cross connect the two machines secondary
> interfaces or plug each interface into a seperate VLAN/switch/hub.
> setup the ip's on each machine and hosts/dns entries as needed. verify
> connectivity via ping etc between the hosts.
> setup NFS as normal but mount via the private VLAN. so if hosta and hostb
> are primary and hosta-priv and hostb-priv are the new private network
> your mount scenario would be:
> on host a: mount hostb-priv:/export /export
> on host b: mount hosta-priv:/export /export
> etc etc etc.
> > -----Original Message-----
> > From: Michael Wright [mailto:firstname.lastname@example.org]
> > Sent: Wednesday, March 24, 2004 1:45 PM
> > To: email@example.com
> > Subject: NFS Over Private Network
> > Hi, I have two Sun Servers (one running Solaris 8 the other
> > Solaris 9).
> > I would like to try and setup the machines so that I can use
> > NFS over a
> > private network between the two machines using their second
> > NIC cards.
> > Is this possible? Any information and suggestions would be greatly
> > appreciated. Also, do I have to set anything special for the NICs as
> > far as routing is concerned?
> > Thanks,
> > Michael
> > PS: I know something like this was on the list previously, but I
> > couldn't find any response to the question, so I'm asking again.
> > --
> > Michael Wright
> > Technical Support Specialist
> > Computer Science and Engineering
> > email:firstname.lastname@example.org
> > Pacific Lutheran University
> > phone: 253-535-7408
> > Tacoma, WA 98447-0003 fax: 253-535-8700