[buug] Secure NFS?
jammer at weak.org
Tue Feb 18 14:14:42 PST 2003
On Tue, Feb 18, 2003 at 10:32:29AM -0800, Nick Jennings wrote:
> On Sat, Feb 15, 2003 at 12:17:24PM -0800, Jon McClintock wrote:
> > Alternatively, does anyone have a spare PCI ethernet card? The problem
> > is, the server with the files on it is on the public internet, and the
> > OS/X client is on a NAT network behind the firewall. I've got the server
> > setup to only allow NFS from the firewall's IP, but since the firewall
> > also NATs for the (unprotected) wireless network, there's a wee hole in
> > my security that I'd rather not have.
> Why don't you just block NFS requests comming from the router? You
> shouldn't need to access NFS data from your router anyways.
Here is my network map:
weak.org is the file server. feeling.weak.org is the NAT
router/firewall. The hosts that want to mount files from weak.org are
on the wired NAT network. The wireless NAT network is freely accessible
Since both NAT networks present the same IP address to the outside
world (and thus to the fileserver), I can't just block the IP of the
router. I could block outbound NFS traffic from the wireless NAT
network, but that seems kludgey.
My solution is to add a second ethernet card to weak.org into the wired
It's a shame NFS is the best working network file system in OS/X,
because it's crap for security.
More information about the buug