[buug] Secure NFS?

Jon McClintock jammer at weak.org
Tue Feb 18 14:14:42 PST 2003

On Tue, Feb 18, 2003 at 10:32:29AM -0800, Nick Jennings wrote:
> On Sat, Feb 15, 2003 at 12:17:24PM -0800, Jon McClintock wrote:
> > Alternatively, does anyone have a spare PCI ethernet card? The problem
> > is, the server with the files on it is on the public internet, and the
> > OS/X client is on a NAT network behind the firewall. I've got the server
> > setup to only allow NFS from the firewall's IP, but since the firewall
> > also NATs for the (unprotected) wireless network, there's a wee hole in
> > my security that I'd rather not have.
>  Why don't you just block NFS requests comming from the router? You 
>  shouldn't need to access NFS data from your router anyways.

Here is my network map:

   ADSL router
	           |                                    |
            feeling.weak.org                        weak.org
	     |           |
	  Wireless     Wired
	    NAT         NAT
	   Network     Network

weak.org is the file server. feeling.weak.org is the NAT
router/firewall. The hosts that want to mount files from weak.org are
on the wired NAT network. The wireless NAT network is freely accessible
to anyone.

Since both NAT networks present the same IP address to the outside
world (and thus to the fileserver), I can't just block the IP of the 
router. I could block outbound NFS traffic from the wireless NAT
network, but that seems kludgey. 

My solution is to add a second ethernet card to weak.org into the wired
NAT network.

It's a shame NFS is the best working network file system in OS/X,
because it's crap for security.


More information about the buug mailing list