Chuck Swiger wrote:
cpghost wrote:
how can one configure NFS daemons (esp. mountd and rpcbind) so that they listen only on one IP address (e.g. on 192.168.1.1)?
While some of the daemons are growing flags to bind only to specified addresses, it turns out to be unwise to depend on that capability alone to protect a fileserver. If you want to do NFS securely, you need to protect the network by using a firewall which prevents source-routing and address spoofing of internal hosts.
I know this is the default action in most scenarios.
However, in this very special case, using a packet filter is not an option.
The host is multi-homed, so a lot of address spoofing and source routing tricks are not that easy anyway (though certainly not impossible, due to the intricacies of NAT).
It would be nice if at least rpcbind honored its -h flag and mountd grew its
own flag to bind(2) to specific addresses. It's perhaps just a few lines of code;
I'll have to dive into that socket API though... :).
Thanks, -cpghost.
-- Cordula's Web. http://www.cordula.ws/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
