From: [EMAIL PROTECTED] > > i file nfs traffic into the "stuff not supposed to be going through > > the firewall" category. a firewall implies there are bad people on > > one side of it, and you don't want bad people to access nfs, ever. > > i'd use a vpn of some sort to tunnel through the firewall. > > I agree, however, my NFS traffic is not passing through a > firewall. This > is an internal host on a "trusted" network serving things > like http. I > usually lock down all of my boxes whether they are facing the > Internet > or not. Anyway, I just recently decided to export an NFS > share on this > box and ran into my originally posted problem. > It just kind of sucks that now I have to compromise security or > functionality or create workaround. Not that this box really needs to > run pf, I just feel better about doing so.
Such is life. Put the blame where it is due; RPC blows, and NFS blows too. Neither of them lend well in any way towards "security." The only "protections" that have come about for them are kludges anyway, like the -p switch. The dynamic port mappings thing was a "let's put in some security" before such crap was known to be a trivial joke. authpf seems a reasonable compromise if you can manage it. I think it's somewhat unrealistic to expect much better out of the whole situation. DS
