NFS question..
Mark Street
jet at sonic.net
Wed Aug 21 10:51:39 PDT 2002
Emphasis on: NFS filesystems should not be exported to nonlocal
machines...... That being said.
punch holes in firewall TCP and UDP 2049, TCP and UDP 111, yikes!!!
exports
#
/pac 123.123.123.123/32(rw=123.123.123.123,insecure)
tcpwrap portmap in /etc/hosts.deny
in.portmap : ALL ! 123.123.123.123
on the client end mount command
mount -o rw,hard,intr,bg,tcp 321.321.321.321:/pac
See how long it takes before you get portscanned on 111...... log them with
portsentry or your firewall....
Just because you can, does not mean you should......
At 08:03 PM 8/20/2002 -0700, ME wrote:
>Knowing ahead of time, NFS does not stand for "Network File System" like
>many would have you believe, it is actually, "No Frickin' Security"; such
>is the case with many services over UDP. (TCP based NFS may add some
>security with NFSv3/TCP, but.... *sigh*)
>
>You probably want the "insecure" option for nfs which allows clients to
>bind from ports > 1024.
>
>#
>/pac 66.247.88.195(insecure,rw)
--------------------------------------------------------------------------
Mark Street
Chiropractor and RHCE
Validation Cert # 807302251406074
More information about the talk
mailing list