| View previous topic :: View next topic |
| Author |
Message |
dAIvd
n00b
Joined: 14 Sep 2003
Posts: 16
|
 Posted: Fri Sep 30, 2005 10:17 am Post subject: binding NFS only on local network |
 |
|
| I have a problem that ought to be easy to solve, but I just can't figure it out.. I run NFS on a server with two ethernet connections, one to the Internet and one to a gigabit local network. For security reasons I want to make nfs and portmap listen _only_ to the local interface, but all I can find are instructions for how to use hosts.allow or iptables, etc. This is all well and good, but I think it adds extra layers of complexity and possible vulnerabilities. All I want is to tell nfs not to bind on my external IP. |
|
| Back to top |
|
 |
fvant
Guru
Joined: 08 Jun 2003
Posts: 328
Location: Leiden, The Netherlands
|
|
| Back to top |
|
|
dAIvd
n00b
Joined: 14 Sep 2003
Posts: 16
|
| Posted: Fri Sep 30, 2005 11:15 am Post subject: |
|
|
| fvant wrote: | | You can restrict access to an export by Ip or netmask in the /etc/exports file. |
Yes, I know, but this is precisely what I don't want. NFS still listens to the internet. From a security perspective it would be much better if I could just make it not listen, instead of trusting that it is free of vulnerabilities (which it obviously isn't). |
|
| Back to top |
|
|
CriminalMastermind
Tux's lil' helper
Joined: 19 Nov 2003
Posts: 132
Location: toronto
|
| Posted: Sat Oct 01, 2005 9:27 am Post subject: |
|
|
| dAIvd wrote: | | all I can find are instructions for how to use hosts.allow or iptables, etc. |
i believe those are the only way's you can do this. there are many services in the same boat too.
| dAIvd wrote: | | This is all well and good, but I think it adds extra layers of complexity |
ya, doing both, probably adds to complexity... but me, i'm paranoid  . what is your file system gets corrupted and your firewall script get's zapped? tcpd is just another check someone would have to get buy... but also another place for a problem if you mess up a config, or are trouble shooting a problem. see.. paranoid. i'm also paranoid enough to say you shouldn't run any services on your firewall, but i know that isn't always possible.
i'd go with iptables. i think if you use tcpd (host.allow/deny) it would still show up on a port scan, but i could be wrong. that is from my memory a long time ago.
| dAIvd wrote: | | and possible vulnerabilities. |
one could even make the argument that iptables would be more secure. more people may use iptables in general then that spesific option in the portmap and nfsd. but as i'm pretty sure the option isn't even there... it's kind of a moot point.
hope that helped
_________________
"I can picture a perfect world that knows of no war... and I can picture me attacking that world, because they'd never expect it." |
|
| Back to top |
|
|
|
Networking & Security
