That makes a lot of sense, and I can explain to our security folks that I
can bind it to a specific IP address, so that they don't have to worry.
I did a test of using an 'outboard' engine to do the virus scan of a
z/Linux guest and compared it to the same scan of the guest natively. I am
only on a 100 megabit max network that is used by 'everybody' so I didn't
get the speed a dedicated connection would get me, but it ran reasonably
well.
Natively it took 29 minutes and used 100% of one CP for most of that
period. From my little slackware box under my desk, it took 42 minutes.
The CP on the z/Linux guest was driven up above the normal 'statistical
noise floor' by about 10%. Typically normal system use is 10% so it pushed
it to about 20%. Still, that is 80% less then pegging the meter. The
Slackware on Intel box never averaged above 35% CP use for the duration of
the scan.
Seems to me on a utilized 100 mbit network, getting an average blocks per
second (1 K blocks) sent of about 550 wasn't too bad. I will test this on a
gigabit backbone at some point soon. Ultimately a dedicated interface that
has no other network traffic on it would be ideal.
"Post, Mark K"
<[EMAIL PROTECTED]
m> To
Sent by: Linux on [email protected]
390 Port cc
<[EMAIL PROTECTED]
IST.EDU> Subject
Re: NFS and specific ethernet
interfaces
03/09/2005 11:52
AM
Please respond to
Linux on 390 Port
<[EMAIL PROTECTED]
IST.EDU>
You can come pretty close by using /etc/exports to control what IP
addresses
can access the NFS shares. This doesn't really get tied to a particular
interface, per se, but it does allow you to limit which systems can get to
what shares. "man exports" will explain how you do that.
Mark Post
-----Original Message-----
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of James
Melin
Sent: Wednesday, March 09, 2005 12:03 PM
To: [email protected]
Subject: NFS and specific ethernet interfaces
Is it possible to set up NFS so that it only exposes local NFS shares to a
specific ethernet interface? I am goign to take a shot at having a side
scanning engine running to do file system antivirus scanning via NFS mount.
After enough people perked up and gave me advice I could shake in front of
my management, they have become more amenable to having a wintel box.
That said, I am not comfortable exposing the entire file system via NFS
unless I can control what ethernet interface the NFS access can be
accomplished by.
I intend to dedicate a 100 mbit osa port to VM and the linux machines, and
borrow a 2 or 4 way cast off server that was heading to the junk pile
(Ahem.... Depreciated asset pile) and see how it all works. It would make
me
feel better from a security stand point if I could dedicate the specific
shares to a specific ehternet interface.
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions, send email
to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
