Thank you sir, I had a feeling that was it. -----Original Message----- From: Foreman, Tim [mailto:[EMAIL PROTECTED] Sent: Thursday, December 14, 2006 11:38 AM To: Brad Dormanen; [email protected] Subject: RE: [OF-users] Interesting NFS security problem
You need to use a netmask of 255.255.255.255 to lock it to the single host. 255.255.254.0 locks you to two class C networks i.e. 10.10.10.43/255.255.254.0 lets in 10.10.10.* and 10.10.11.* --Tim > -----Original Message----- > From: Brad Dormanen [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 14, 2006 10:14 AM > To: [email protected] > Subject: [OF-users] Interesting NFS security problem > > > > **Build Release** > Distro Release GUI Version > Openfiler NAS/SAN Appliance 2.2 2.2.r1112-1-1 > **Updated Release** > Distro Release GUI Version > Openfiler NAS/SAN Appliance 2.2 2.2.r1144-1-1 > > What we are trying to do is put this Openfiler system on the internet > and only serve NFS shares to a few RHEL3 servers for mirroring backup > data. I know it's not the most secure way to do this, but my > understanding that the network level security would be plenty. > > Here is my test: > > Openfiler Share > /mnt/volgroup1/vol1/share1/ > > Public guest access > > WEB5 NFS RW only > > Name Network/Host Netmask Type > WEB5 x.x.x.43 255.255.254.0 Share > (IP's have been removed for the email) > > On the WEB5 Server the following works fine. > mkdir /mnt/nfs > mount -t nfs openfilerserver:/mnt/volgroup1/vol1/share1/ /mnt/nfs > > Dec 14 11:02:04 SERVER rpc.mountd: authenticated mount request from > x.x.x.42:938 for /mnt/volgroup1/vol1/share1 > (/mnt/volgroup1/vol1/share1) > > WEB5 is at .43 and according to openfiler should be the only system > allowed to access this share. Turns out that when I run the same > command on a different server in that network but at address .42 > (WEB4) I can also mount that share. Clearly I have defeated the > network security. > Either my logic is off or it's something else. > > I have tested the mount on another system that is not in that IP range > and I am denied access so I know something is working. > > Your help is greatly appreciated. > > Regards, > > Brad > _______________________________________________ > Openfiler-users mailing list > [email protected] > https://lists.openfiler.com/mailman/listinfo/openfiler-users > _______________________________________________ Openfiler-users mailing list [email protected] https://lists.openfiler.com/mailman/listinfo/openfiler-users
