Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: None <tls@rek.tjls.com>
From: Byron Servies <bservies@pacang.com>
List: netbsd-users
Date: 10/09/2006 18:07:23
On Oct 9, 2006, at 5:53 PM, Thor Lancelot Simon wrote:
> On Mon, Oct 09, 2006 at 08:37:44PM -0400, Steven M. Bellovin wrote:
>>
>> The first is to incorporate access control semantics into
>> rpcbind. It's
>> not a horrible solution, in that it provides some protection against
>> attackers who first query rpcbind to find out what port numbers to
>> attack.
>
> I've already said something analogous in private email, but I'll share
> it, I suppose, with the list.
>
> I do not think that "access control" semantics in particular
> applications
> are quite what is wanted, here, if you mean "access control by
> address of
> requesting party" which is what most people, I think, would assume you
> mean.
>
> What you want, as far as I can tell, is access control at the
> granularity
> merely of "reachability from directly-connected network N".
> Assuring that
> unauthorized parties have no connectivity to N is a problem you're
> willing
> to place out of scope for your present effort. Firewalls (including
> IP-layer filtering on the local host) can give you this, but
> configuring
> them for protocols that use dynamic port addressing can be a real
> nuisance.
I freely admit I am out of my depth, but wasn't NFSv4 designed to
solve a lot of these long-standing NFS problems?
http://www.ietf.org/rfc/rfc3530.txt
Byron