Would NFS tunneled through SSH be acceptable? dbc.
On Tue, 29 Jan 2002, Lonnie Cumberland wrote: > Hi Nicolas, > > I think that after much thought that I will opt to try to explain to > them the security problems of using NFS over the firewall and try to > use another solution instead. > > Thanks for all of the help to you and everyone on the list who always > seems to try to answer most of my seemingly dumb questions. > > Cheers, > Lonnie > > > Hi Lonnie! > > > > > Actually was are still a amall company and this particular job > > > if for some friends, a research group the university who has > > > recently had problems, who will not listen to reason about the > > > problems of port- forwarding services like NFS. With that in > > > mind, I told them that I would help get them as secure as > > > possible given their specific > > > requirements. > > > > Sorry, that's what I realized when I rethought about this (ie > > that it must have been something not internal to your > > company...). > > > > BTW, I hope these people are not in CS... > > > > > Like many people in the academic arena, it will take getting > > > hacked and attacked a few time before they realize that they > > > should have listened to more well informed people in the past, > > > like me, who has tried very hard to get them out of the current > > > mentality of "patch- work" until the next problem. > > > > If these weren't your friends I would almost be tempted to > > suggest that you get this in writing that they prefer that > > solution over a more secure one (after being informed of the > > security implications).... (Some good ol' CUA...) > > > > > So, being this, I will simple try to make the best out of what > > > they have and will let get done. > > > > The problem seem to be that NFS doesn't seem to be very firewall > > friendly... > > > > > These guys will learn with time I am sure. > > > > For their sake I hope so... (and before they get seriously > > hacked) > > > >> After making some changes to the firewall and setting up the > >> port- forwarding for sunrpc and nfs on udp packets, I am no > >> longer getting an RPC time out but now just: > > > mount: RPC: Unable to receive; errno = Connection refused > > > > This might seem like a dumb question (and sorry if you mentionned > > the answer to this one before, I couldn't find it) but where they > > communicating with each other before the firewall was installed? > > > > Anything in the logs? > > > > I haven't "played" with NFS recently but if I had that message I > > think I would check if I got the appropriate/relevant entries in > > hosts.allow & hosts.deny (ie lines for portmap, lockd, mountd, > > rquotad & statd). > > > > [The text at the following URL might be useful in getting this > > right: > > <http://www.smartcomputing.com/editorial/article.asp? > article=articles%2F2001%2Fs1206%2F48s06web%2F48s06web%2Easp>] > > > > (Sorry, this might be two long for the mailing list, you'll > > probably have to cut & paste it...) > > > >> > >> on the client machine when I try to mount the directory. > >> > >> The client can been seen on the DNS as well as the server has > >> the client IP in its hosts file. > > > > I assumed here that you meant the hosts files and not the > > hosts.allow & hosts.deny file, sorry if that was not the case... > > > >> > >> Any ideas from here? > >> > > > > BTW, did you try opening the ports mentionned in the messages I > > posted? Apparently it's not easy getting them right but I do > > believe one of the messages actually mentionned a way of finding > > them out (rpcinfo -p or rpcinfo -p localhost) > > > > I did see a mention at the following URL > > <http://www.io.com/help/linux/NFS-HOWTO-5.html> (NFS and > > firewalls) that it might be possible to change the ports used by > > NFS to some specific ports but how this is done I unfortunatly > > don't know (sorry...). > > > > Have a nice day & good luck! > > > > Nick > > > > > > _______________________________________________ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
