Subject: Re: restricting NFS (and associated services) to one IP address
To: Chuck Swiger <cswiger@mac.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 10/09/2006 13:37:46
On Mon, 9 Oct 2006 10:21:57 -0700, Chuck Swiger <cswiger@mac.com> wrote:
> With regard to NFS and RFC services involving portmap, please
> understand that these services predated the notions of network
> security and firewalls needed today, and that these services are
> basically completely insecure.
Given how long I've been working on network security and firewalls --
close to 20 years -- I think I understand that *very* well. (I also
understand that many modern protocols aren't really any better, but that's
a separate rant.)
> It is not prudent or advisable to try
> to combine routing/firewall functionality and filesharing on the same
> machine; if your multihomed system is being used to route or NAT
> traffic, then, if at all possible, you should not configure it to
> operate as a fileserver as well.
>
Who said anything about routing, firewalls, or NAT? Not I.
The situation is more like this. I have several machines A, B, and C
that are exposed to the Internet. They also need to share files among
themselves via NFS, on a separate LAN. I want to make sure that nasty
packets don't get to the NFS-related services on these machines. I
could, I suppose, create machine D, which is only on the back end LAN; it
could be the common file server. For various reasons, that's not an
ideal solution, though I may resort to it. It also leaves open the
question of keeping fake responses away from the NFS clients on A, B, and
C.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb