On Jun 15, 2007, at 12:27 AM, Jeremie Le Hen wrote:
It appears nearly impossible to firewall a NFS server on FreeBSD.

Yes and no. It's quite easy to firewall NFS along with everything else using a "default deny" ruleset. It's highly difficult to place a restrictive firewall ruleset between an NFS server and legitimate NFS clients, and, more relevantly, it's an open question as to whether it is useful (ie, results in a noticeable benefit to security) to try.

The primary purpose of a firewall is to restrict traffic between machines or subnets which are in different trust domains, but you'd darn well better be willing to trust the NFS clients which you intend to connect to your NFS server to access the data on that NFS server, or else you shouldn't be letting them connect via NFS at all. This is because NFS is, by-and-large, unsecurable to a knowledgeable attacker who has NFS client access anyway, or even just the ability to see and inject packets into the same subnet that either the client or server is on.

This is less true if NFSv4 via SecureRPC is involved, but otherwise a simple MitM attack via ARP-cache poisoning or similar will get the attacker quite far...

--
-Chuck

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to