RE: NFS Over Private Network
From: Simon Thornton (simon.thornton_at_swift.com)
Date: Thu, 25 Mar 2004 10:19:01 +0100 To: "'Michael Wright'" <email@example.com>, firstname.lastname@example.org
At the least I would replace the SUN portmapper with the one from the
TCPwrappers suite. This will allow you to restrict access
(/etc/hosts.allow) on the IP level to portmap and therefore to some
services. For the NIC setup, use a separate subnet to the main interface
and disable IP forwarding. It should not be possible for someone on the
main network to send traffic to the private network. Some people use
IPV6 on the backend if there front end only supports IPV4.
You might also consider using a VPN tunnel or encrypt the NFS traffic
between the boxes (stunnel, cipe, ssh etc) to avoid NFS being visible on
If all the RPC & NFS traffic is on the backend segment and no IP
forwarding is permitted on the hosts, then MITM attacks on NFS, from the
front end network should not be possible.
I would consider if NFS is really necesary, wherever possible don't use
it. Maybe shared drive arrays are a better solution, they are certainly
From: Michael Wright [mailto:email@example.com]
Sent: Wednesday, March 24, 2004 22:45
Subject: NFS Over Private Network
Hi, I have two Sun Servers (one running Solaris 8 the other Solaris 9).
I would like to try and setup the machines so that I can use NFS over a
private network between the two machines using their second NIC cards.
Is this possible? Any information and suggestions would be greatly
appreciated. Also, do I have to set anything special for the NICs as
far as routing is concerned?
PS: I know something like this was on the list previously, but I
couldn't find any response to the question, so I'm asking again.
- application/x-pkcs7-signature attachment: smime.p7s