RE: NFS Over Private Network

From: Simon Thornton (simon.thornton_at_swift.com)
Date: 03/25/04

  • Next message: dreamwvr_at_dreamwvr.com: "Re: NFS Over Private Network" 
    Date: Thu, 25 Mar 2004 10:19:01 +0100
To: "'Michael Wright'" <cshelp@plu.edu>, focus-sun@securityfocus.com

    Hi Michael,

    At the least I would replace the SUN portmapper with the one from the
    TCPwrappers suite. This will allow you to restrict access
    (/etc/hosts.allow) on the IP level to portmap and therefore to some
    services. For the NIC setup, use a separate subnet to the main interface
    and disable IP forwarding. It should not be possible for someone on the
    main network to send traffic to the private network. Some people use
    IPV6 on the backend if there front end only supports IPV4.

    You might also consider using a VPN tunnel or encrypt the NFS traffic
    between the boxes (stunnel, cipe, ssh etc) to avoid NFS being visible on
    the wire.

    If all the RPC & NFS traffic is on the backend segment and no IP
    forwarding is permitted on the hosts, then MITM attacks on NFS, from the
    front end network should not be possible.

    I would consider if NFS is really necesary, wherever possible don't use
    it. Maybe shared drive arrays are a better solution, they are certainly
    more reliable.

    Rgds,

    Simon

    -----Original Message-----
    From: Michael Wright [mailto:cshelp@plu.edu]
    Sent: Wednesday, March 24, 2004 22:45
    To: focus-sun@securityfocus.com
    Subject: NFS Over Private Network

    Hi, I have two Sun Servers (one running Solaris 8 the other Solaris 9).

    I would like to try and setup the machines so that I can use NFS over a
    private network between the two machines using their second NIC cards.
    Is this possible? Any information and suggestions would be greatly
    appreciated. Also, do I have to set anything special for the NICs as
    far as routing is concerned?

    Thanks,

    Michael

    PS: I know something like this was on the list previously, but I
    couldn't find any response to the question, so I'm asking again.

  • Next message: dreamwvr_at_dreamwvr.com: "Re: NFS Over Private Network"

    Relevant Pages

    • SUMMARY:network time outs
      ... I did find a very useful web page about tuning network settings: ... Most of my testing has been with NFS where I can easily saturate a GbE ... vmunix: alt0: 1000 Mbps full duplex Link Up via autonegotiation ... card can only be set to autonegotiate (usually we force the nics on our ...
      (Tru64-UNIX-Managers)
    • Re: Using multiple NICs
      ... I thinking bonding may be a better option. ... one with the NFS server and one without the NFS server and a ... You connect the machine with an IP of 192.168.2.199 to switch B ... two NICs, then what you want to do is bonding. ...
      (comp.os.linux.misc)
    • SUMMARY:network time outs
      ... I did find a very useful web page about tuning network settings: ... Most of my testing has been with NFS where I can easily saturate a GbE ... vmunix: alt0: 1000 Mbps full duplex Link Up via autonegotiation ... card can only be set to autonegotiate (usually we force the nics on our ...
      (Tru64-UNIX-Managers)
    • NFS client hanging
      ... I'm suffering some horrible NFS problems at the moment. ... NIC is a ge2 sbus 1000sx card connected to a cat4003 switch. ... systems, console says "NFS server 172.17.1.5 not responding, still trying". ... The NICs are running in local mac address mode: ...
      (SunManagers)
    • Re: fedora-list Digest, Vol 19, Issue 204
      ... The multiple NICs are on the NFS client. ... >> I have a NIC that I would like to dedicate to an NFS mount. ...
      (Fedora)