Subject: Re: restricting NFS (and associated services) to one IP address
To: None <netbsd-users@netbsd.org>
From: matthew sporleder <msporleder@gmail.com>
List: netbsd-users
Date: 10/09/2006 13:53:21
On 10/9/06, Christian Biere <christianbiere@gmx.de> wrote:
> Steven M. Bellovin wrote:
> > On Mon, 9 Oct 2006 10:21:57 -0700, Chuck Swiger <cswiger@mac.com> wrote:
> > Who said anything about routing, firewalls, or NAT? Not I.
> >
> > The situation is more like this. I have several machines A, B, and C
> > that are exposed to the Internet. They also need to share files among
> > themselves via NFS, on a separate LAN. I want to make sure that nasty
> > packets don't get to the NFS-related services on these machines. I
> > could, I suppose, create machine D, which is only on the back end LAN; it
> > could be the common file server. For various reasons, that's not an
> > ideal solution, though I may resort to it. It also leaves open the
> > question of keeping fake responses away from the NFS clients on A, B, and
> > C.
>
> What about VLAN or a virtual private LAN dedicated to NFS?
>
That's how I do it, but I agree that every service should be able to
bind to only one ip. It seems like a pretty basic requirement of any
network service.