NFS question..

Mark Street jet at sonic.net
Wed Aug 21 10:51:39 PDT 2002


Emphasis on: NFS filesystems should not be exported to nonlocal 
machines......  That being said.

punch holes in firewall TCP and UDP 2049, TCP and UDP 111, yikes!!!

exports
#
/pac 123.123.123.123/32(rw=123.123.123.123,insecure)

tcpwrap portmap in /etc/hosts.deny

in.portmap : ALL ! 123.123.123.123

on the client end mount command

mount -o rw,hard,intr,bg,tcp 321.321.321.321:/pac

See how long it takes before you get portscanned on 111...... log them with 
portsentry or your firewall....

Just because you can, does not mean you should......

At 08:03 PM 8/20/2002 -0700, ME wrote:
>Knowing ahead of time, NFS does not stand for "Network File System" like
>many would have you believe, it is actually, "No Frickin' Security"; such
>is the case with many services over UDP. (TCP based NFS may add some
>security with NFSv3/TCP, but.... *sigh*)
>
>You probably want the "insecure" option for nfs which allows clients to
>bind from ports > 1024.
>
>#
>/pac    66.247.88.195(insecure,rw)

--------------------------------------------------------------------------
Mark Street
Chiropractor and RHCE
Validation Cert # 807302251406074



More information about the talk mailing list