RE: NFS Over Private Network

From: John Rowan Littell (
Date: 03/25/04

  • Next message: Small, Jim: "RE: NFS Over Private Network"
    Date: Thu, 25 Mar 2004 09:08:04 -0500 (EST)


    Lo, Thomas Lindsay and the teakettle whistled in unison:

    > To what degree does this solution *protect* the share itself? Is there a
    > way to tie the server share to a given interface, or better yet, bind nfsd
    > itself to a specific interface? Call me paranoid, but I don't trust the
    > builtin security mechanisms of nfs too far, especially considering the
    > vulnerability rates of some Solaris rpc services in recent years.
    > If nfsd cannot be specifically bound to a given interface (and hence not
    > bound to others), then a private network between two machines will serve
    > only to prevent man-in-the-middle types of attacks but still leaves the
    > data vulnerable to any attack on the nfs server itself through the public
    > interfaces.
    > Ideas?

    I'd suggest SunScreen or ipfilter to block portmap and NFS traffic on the
    public interface. Yes, I realize that this is RPC we're talking about
    here, and as such can't be guaranteed to run on a particular port, but
    blocking port 111 and 2049 is usually a pretty good first pass at
    blocking NFS (or better yet, block everything on the public interface
    and only allow approved services). I've had good success with this
    approach and occassionally a private network myself.


    - --
    John "Rowan" Littell
    Systems Administrator
    Earlham College Computing Services
    2004-03-25 09:00
    Version: GnuPG v1.2.2 (Darwin)
    Comment: Made with pgp4pine 1.76

    -----END PGP SIGNATURE-----

  • Next message: Small, Jim: "RE: NFS Over Private Network"