NFS question..

ME dugan at passwall.com
Tue Aug 20 20:15:58 PDT 2002


Also, you realize, that you may have posted to a public forum, the
*real* name of the server (can be used to find real IP), the service
share, and the IP address of permitted connections. :-(

If you did not pre-obfuscate these, then a would be attacker has enough
information to launch an attack. So far, the mailing list has not been
archived to a web readable format, but I am sure that may change.

Have you condifered samba? In many ways you can get a bit more security
from it when properly configured.

Another alternative that would take a processor hit for both machines
would be tunneling a ppp connection through an ssh session. Then use of
route entries may permit you to use NFS through a PPP session through SSH.
(Rather big processor hit for moving large files and data with encryption
being used and you will lose bandwidth to extra headers created from the
multiple layers.) This could allow you to include filtering rules to only
permit [TCP|UDP]/IP packets to the ppp IP address from the PPP interface
itself,but no others, making forged packets to a reserved IP on the PPP
link *very* difficult unless they own one end or the other. (Requires
filtering on both ends, etc.)

IPSEC could also be employed here instead to afford some security. I dont
know enough about it to discuss it in detail, but it would likely be less
of a drain on resources than the above and is "more standard."

-ME

On Tue, 20 Aug 2002, ME wrote:
> On Tue, 20 Aug 2002, Christopher Wagner wrote:
> > I'm trying to set-up a NFS mount from my home computer to my database server
> > at work for incremental backups.  I get this message on the Unixware 7.1.1
> > box (database server):
> > UX:nfs mount: ERROR: access denied for milo.waggie.net:/pac
> > 
> > and this message on the Redhat Linux 7.3 box at home:
> > 
> > Aug 20 17:02:57 milo rpc.mountd: refused mount request from
> > leg-66-247-88-195-STK.sprinthome.com for /pac (/pac): illegal port 56726
> > 
> > My /etc/exports on milo is:
> > #
> > /pac    66.247.88.195(rw)
> > 
> > I'm running iptables on milo and the database server is behind a Netopia
> > firewall product.  What do I need to open up on the firewalls to get this to
> > work?  I already opened up 4069/udp (I think that's the one) on milo.
> > 
> > Thanks in advance for any help provided!! :)
> 
> Knowing ahead of time, NFS does not stand for "Network File System" like
> many would have you believe, it is actually, "No Frickin' Security"; such
> is the case with many services over UDP. (TCP based NFS may add some
> security with NFSv3/TCP, but.... *sigh*)
> 
> You probably want the "insecure" option for nfs which allows clients to
> bind from ports > 1024.
> 
> #
> /pac    66.247.88.195(insecure,rw)
> 
> It is this line that suggests to me this to be the answer:
> > Aug 20 17:02:57 milo rpc.mountd: refused mount request from
> > leg-66-247-88-195-STK.sprinthome.com for /pac (/pac): illegal port 56726
>                                                         ^^^^^^^^^^^^^^^^^^
> 
> client using non-reserved port ( >1024 )
> 
> You may want to 
> # man exports
> to find out about other options.
> 
> Know this: 
> 
> even though you specify the IP of a host to connect to that share, UDP
> packets are easy to forge when compared to "sessions" with TCP!
> 
> -ME
> 
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
> L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
> t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
> ------END GEEK CODE BLOCK------
> decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
> 
> 



More information about the talk mailing list