Re: NFS Over Private Network

From: Luc I. Suryo (luc_at_suryo.com)
Date: 03/25/04

  • Next message: Thomas Knop: "Re: NFS Over Private Network" 
    Date: Wed, 24 Mar 2004 22:34:12 -0700
To: Thomas Lindsay <lindsayt@socsci.umn.edu>

    well on A solaris 9 system, from man nfsd

    -t device

               Start a NFS daemon for the transport specified by the
               given device. Equivalent of the NFSD_DEVICE parameter
               in the nfs file.

    so in /etc/init.d/nfs.server adjust the startup of the nfsd deamon only
    on the interface you need.

    And I would certainly advice to use TCP and NFS version 3 and then
    make sure in the /etc/dfs/dfstab (/etc/export is not the file to be used
    on a Solaris 2.x system) and btw you could use something like this
            -o rw=@10.0.0.1/24

    As far nfs/share, Solaris will not allow nfs mount unless the host
    define is in /etc/hosts, so if you do want a more secure setting you may
    *not* want to use the @xxxx method...

    But check the man share_nfs..

    >
    > To what degree does this solution *protect* the share itself? Is there a
    > way to tie the server share to a given interface, or better yet, bind nfsd
    > itself to a specific interface? Call me paranoid, but I don't trust the
    > builtin security mechanisms of nfs too far, especially considering the
    > vulnerability rates of some Solaris rpc services in recent years.
    >
    > If nfsd cannot be specifically bound to a given interface (and hence not
    > bound to others), then a private network between two machines will serve
    > only to prevent man-in-the-middle types of attacks but still leaves the
    > data vulnerable to any attack on the nfs server itself through the public
    > interfaces.

    to answer your question, it can be done in Solaris and as far rpc
    issues, well the bottom line is very simple, security is not bound to a
    OS, one must make sure that 1. the network is secure and 2. the Network
    and system-administrator people need to make sure that both the systems
    and the network at the highest possible path security level...
    Security is not free.. it takes effort and 'pain' :)

    btw: i checked Solaris 8, it does accept the -t option too...

    does this help?

    -ls

  • Next message: Thomas Knop: "Re: NFS Over Private Network"

    Relevant Pages

    • Re: Puzzling "bge0" Port
      ... I got Solaris 9 installed on one of them, but during the installation, I ... mistakenly selected "ce0" as the network interface, ...
      (comp.unix.solaris)
    • ping using multiple interfaces
      ... I have a network on which my Solaris machine has ... I need to be able to ping other machines using the source ... that all pings are going out over the first interface. ... Is there a known issue here with Solaris sockets or with ping? ...
      (comp.unix.solaris)
    • Re: Creating a Jail for network interfaces
      ... > Sun Netra T1 ... > Solaris 5.8 ... don't need a separate physical interface per zone, ... > talk to another interface on the Netra or other network device packets will ...
      (comp.unix.solaris)
    • Routing: choosing network device for outgoing traffic
      ... I'm having some problems with network communication over multiple ... network interfaces/devices on Solaris 9. ... between hosts if necessary. ... The problem is that i'd like to have control over which interface the ...
      (comp.unix.solaris)
    • Re: hme interface - any way to stop auto this and that?
      ... It did work fine on another router, so either its a compatibility issue with the DrayTek or its been damaged in the last couple of weeks.) ... I had the same experience with my U5 system with hme interface and Linksys and later a NetGear router. ... Once I got to Solaris 10 Update 5, autonegotiation started working and forcing was no longer necessary. ... To sort of experiment to see what speed works best with your router, use the ndd commands 'on the fly' to set either 100FDX or 10FDX. ...
      (comp.unix.solaris)