Subject: Re: NFS and reserved ports
To: Jonathan Stone <jonathan@dsg.stanford.edu>
From: Perry E. Metzger <perry@piermont.com>
List: tech-security
Date: 03/24/1997 20:22:15
Jonathan Stone writes:
> 
> On Mon, 24 Mar 1997 19:36:15 -0500
>  Perry E. Metzger <perry@piermont.com> writes:
> 
> [checking /etc/exports ACLs for each NFS rpc]
> 
> >1) way too slow.
> 
> Compared to  going to  *disk* ???

Dunno about you, but I tend to use NFS on networks with hundreds to
thousands of machines allowed to mount a partition. Checking that
isn't going to be pleasantly fast. I suppose a hash table or tree
structure might work, but this isn't going to be particularly quick to
run or easy to implement. (Merely checking network numbers is NOT in
general acceptable for this application.)

I will, however, say that a hack that let you limit NFS traffic to
your local network might be a good idea, and that might be cheap. It
just isn't a substitute for fsirand.

BTW, I will point out that this still does nothing to defend yourself
against guessed NFS file handles with forged addresses on them -- you
need fsirand for that. (You should be able to stop packets claiming
that they are from your network with a filtering router at your
border, but some people don't have that luxury.)

Perry