On Thu, Nov 07, 2002 at 10:18:54AM -0500, Matthew Saltzman wrote: > > > > What ports on a machine need to be opened in order to export and/or import > > > NFS mounts? > Sheesh, it does seems like one might as well run without a firewall. I > knew it was more complicated than just opening the nfs service ports, but > I didn't realize how much so.
NFS = "Not Feeling Secure". Also known by "No F'ing Security". NFS absolutely trusts the client not to lie to it. There is *no* authentication done whatsoever. If the client tells the server that it's uid/gid is 0/0, the server trusts it. For this reason, you should *never* run NFS on an insecure network. Hence, keep it blocked at the firewall. NFS penetration techniques have been well known for at least 10 years and I'd be surprised if there weren't automated script kiddies available that could get you in short order. All that said, it is possible to tunnel NFS inside of ssh. This not only adds an additional level of security to the picture, but drastically limits the ports that you need. Do a quick google search for "nfs ssh". The first hit looked interesting at http://www.math.ualberta.ca/imaging/snfs/. I haven't implemented any nfs over ssh, but if I had to have nfs over a wan, this is the approach I'd consider. Here's a good overview on how to set it up from scratch: http://www.linuxsecurity.com/feature_stories/feature_story-118.html -- Ed Wilts, Mounds View, MN, USA mailto:ewilts@;ewilts.org Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
