Re: NFS Over Private Network
From: Luc I. Suryo (luc_at_suryo.com)
Date: Wed, 24 Mar 2004 22:34:12 -0700 To: Thomas Lindsay <firstname.lastname@example.org>
well on A solaris 9 system, from man nfsd
Start a NFS daemon for the transport specified by the
given device. Equivalent of the NFSD_DEVICE parameter
in the nfs file.
so in /etc/init.d/nfs.server adjust the startup of the nfsd deamon only
on the interface you need.
And I would certainly advice to use TCP and NFS version 3 and then
make sure in the /etc/dfs/dfstab (/etc/export is not the file to be used
on a Solaris 2.x system) and btw you could use something like this
As far nfs/share, Solaris will not allow nfs mount unless the host
define is in /etc/hosts, so if you do want a more secure setting you may
*not* want to use the @xxxx method...
But check the man share_nfs..
> To what degree does this solution *protect* the share itself? Is there a
> way to tie the server share to a given interface, or better yet, bind nfsd
> itself to a specific interface? Call me paranoid, but I don't trust the
> builtin security mechanisms of nfs too far, especially considering the
> vulnerability rates of some Solaris rpc services in recent years.
> If nfsd cannot be specifically bound to a given interface (and hence not
> bound to others), then a private network between two machines will serve
> only to prevent man-in-the-middle types of attacks but still leaves the
> data vulnerable to any attack on the nfs server itself through the public
to answer your question, it can be done in Solaris and as far rpc
issues, well the bottom line is very simple, security is not bound to a
OS, one must make sure that 1. the network is secure and 2. the Network
and system-administrator people need to make sure that both the systems
and the network at the highest possible path security level...
Security is not free.. it takes effort and 'pain' :)
btw: i checked Solaris 8, it does accept the -t option too...
does this help?