On Thu, 7 Nov 2002, Ed Wilts wrote:
> On Thu, Nov 07, 2002 at 03:21:49PM -0800, Todd A. Jacobs wrote:
> > On Thu, 7 Nov 2002, Ed Wilts wrote:
> >
> > > I used 0/0 as an example. If you choose to map source uid/gid of
> > > 500/500 to local uid/gid 600/600, then you still trust the remote
> > > system's view of who 500/500 is. root_squash does not help you here.
> >
> > root_squash and all_squash are mapped automatically to nobody. Sure, you
> > could override that, but then you can stick a gun barrel in your mouth,
> > too; doesn't mean it's wise, and the fault doesn't lay with the gun.
>
> I'll agree with you for readonly file sharing. For read/write, I'll
> stick by my claims. I think we were both arguing the same thing except
> that I was thinking read/write and you were thinking readonly.
>
> .../Ed
>
> The people that really understand how to manage NFS securely across the
> Internet don't post NFS questions to this list :-)
True enough (says the person who posted the original question). But I
wasn't trying to do it across the Internet. I just wanted to share some
directories and some files on a server on a LAN behind a firewall. I had
the simple lokkit firewalls on all the machines on the LAN, but my
main firewall currently only permits ssh from outside.
It sounds like the conclusion is just not to bother firewalling the
machines on the LAN at all. (I'm pretty safe from my internal users, as
this is my home LAN.) Is there anything on the LAN-to-Internet firewall
(also iptables) that I need to be aware of to prevent NFS from "leaking
out"?
Is that about right? Thanks.
--
Matthew Saltzman
Clemson University Math Sciences
[EMAIL PROTECTED]
http://www.math.clemson.edu/~mjs
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
