| View previous topic :: View next topic |
| Author |
Message |
SnEptUne
l33t
Joined: 23 Aug 2004
Posts: 656
|
 Posted: Sun Oct 22, 2006 12:46 am Post subject: Bind NFS to specific interface? |
 |
|
Hi everyone,
On my server, I have several network cards and network interfaces, for different kind of network. One of the network is connected to the Internet. However, whenever I start NFS, it binds itself too all network interfaces. Is there a way to restrict NFS and portmap so that it only binds to say two of the networks, to reduce security risk? Thank you.
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114) |
|
| Back to top |
|
 |
Noven
Tux's lil' helper
Joined: 27 Mar 2005
Posts: 138
|
| Posted: Sun Oct 22, 2006 3:03 pm Post subject: |
|
|
The option you want to pass is to portmap is '-i {interface addresses}'
The only computer here which is an NFS server runs Ubuntu (which makes a *totally crap* server btw, but its political).
There is an /etc/default/portmap file which holds the line for us. I'm sure there will be a similar file somewhere in the gentoo /etc.
Also make sure you use tcp wrappers - I don't trust NFS anywhere within coo-ee of the internet, so layers are good.
_________________
- Novensiles divi Flamen
>---- Miles Militis Fons ----< |
|
| Back to top |
|
|
SnEptUne
l33t
Joined: 23 Aug 2004
Posts: 656
|
| Posted: Sun Oct 22, 2006 5:59 pm Post subject: |
|
|
I found it. it is under /etc/conf.d/portmap. Ubuntu is a nice distribution as well. Unfortunately, portmap does not support the -i switch. Are you sure it is the portmap option? I got this when I start portmap:
| Code: | /sbin/portmap: invalid option -- i
usage: /sbin/portmap [-dvl]
-d: debugging mode
-v: verbose logging
-l: listen only on loopback address (not on external address) |
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114) |
|
| Back to top |
|
|
Noven
Tux's lil' helper
Joined: 27 Mar 2005
Posts: 138
|
| Posted: Sun Oct 22, 2006 6:24 pm Post subject: |
|
|
That is odd. Check this:
(Ubuntu)
man portmap
NAME
portmap - DARPA port to RPC program number mapper
SYNOPSIS
portmap [-d] [-t dir] [-v] [-i address]
(Gentoo)
man portmap
NAME
portmap -- DARPA port to RPC program number mapper
SYNOPSIS
portmap [-dv]
For some reason portmap under gentoo has less options than portmap under Ubuntu. When I first saw your post I was going to say that ubuntu is nice for the desktop, just not so nice for a server. However I may have just found the first place in which Ubuntu has an edge. *Goes and sits down and breathes into a bag*. In fact this is a serious flaw... I'm sure in FreeBSD I was able to bind to a specific interface.
Ubuntu version 5-16ubuntu2. Gentoo version 5b-r9
No -i option leaves tcp wrappers, your exports file and iptables as the security layers. May be worth filing as a bug report - it's either a missing feature or needs a version bump.
_________________
- Novensiles divi Flamen
>---- Miles Militis Fons ----< |
|
| Back to top |
|
|
SnEptUne
l33t
Joined: 23 Aug 2004
Posts: 656
|
| Posted: Sun Oct 22, 2006 6:34 pm Post subject: |
|
|
I have filed the problem regarding portmap to bugzilla. Thanks for the notice.
On the other hand, what is tcp-wrappers? How can I use it for nfs/portmap?
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114) |
|
| Back to top |
|
|
Noven
Tux's lil' helper
Joined: 27 Mar 2005
Posts: 138
|
| Posted: Sun Oct 22, 2006 6:51 pm Post subject: |
|
|
tcp wrappers is implemented via the hosts.deny and hosts.allow files. For instance you might have:
# cat hosts.allow
portmap: 192.168.0.0/24
# cat hosts.deny
portmap: ALL
You can also do funky stuff like send yourself an email if an unauthorised host tries to connect. Man hosts.allow and hosts.deny for the full range of options. Although I recall that I couldn't allow or deny portmap by host or network name, had to be IP address.
_________________
- Novensiles divi Flamen
>---- Miles Militis Fons ----< |
|
| Back to top |
|
|
SnEptUne
l33t
Joined: 23 Aug 2004
Posts: 656
|
| Posted: Sun Oct 22, 2006 7:16 pm Post subject: |
|
|
Thanks. I have created and updated my /etc/hosts.allow and /etc/hosts.deny accordingly. But it doesn't seem to add much security. Afterall, hostname and ip address can be spoofed and the ports are still open for connection as indicated from nmap.
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114) |
|
| Back to top |
|
|
Noven
Tux's lil' helper
Joined: 27 Mar 2005
Posts: 138
|
| Posted: Sun Oct 22, 2006 7:48 pm Post subject: |
|
|
It doesn't really add that much security. If you try to mount as normal via a blocked IP it should fail, but a determined attacker could probably break it. You can prevent spoofed IP's connecting externally with iptables. But at the end of the day portmap *should* only be bound to certain interfaces, and I hope that bug is fixed before I end up serving NFS from a dual-homed Gentoo box. It's pure chance I'd never come across that before - although I can't recall putting NFS on any externally facing server.
_________________
- Novensiles divi Flamen
>---- Miles Militis Fons ----< |
|
| Back to top |
|
|
|
Networking & Security
