Subject: Re: restricting NFS (and associated services) to one IP address
To: Michael van Elst <mlelstv@serpens.de>
From: matthew sporleder <msporleder@gmail.com>
List: netbsd-users
Date: 10/10/2006 09:36:21
On 10/10/06, Michael van Elst <mlelstv@serpens.de> wrote:
> acruhl@gmail.com ("Andy Ruhl") writes:
>
> >If it were possible to bind NFS to an IP and not expose them to the
> >internet (thereby implying a multi homed host), would your answer be
> >the same?
>
> Mine would be the same. There are several complex mechanisms to
> inject IP packets to arbitrary destinations, your firewall or
> packet filter add a protection layer in front of these.h
>
> Binding to an non-public IP is a weak safetey measure.
>
Can you please expand on this a little more? In an earlier email, you
seem to imply that using a "firewall"-type software to block packets
is secure, but now you're saying that not listening to an interface is
insecure. Do you have reason to believe that IPF/PF is -better- at
denying access to a service than the netbsd networking implementation?
Is there some bug where one could jump from one network to another?
If you're not listening on a network, where's the attack?