Re: Question on the safety sharing NFS with untrusted machines.
Hello, Am 13:28 03/08/02 +0200 hat Cristian Ionescu-Idbohrn geschrieben: > >On Fri, 2 Aug 2002, Michelle Konzack wrote: > >> there is a Debian-Package ssl-nfs (or secure-nfs) in the Mirror... >> It is much more save the all other trics with your Networks. > >And what mirror would that be? Any pointers? I do not know, where I have downloaded it, because my own linux-mirror (200 GB) is crashed while I was in in hospital last year... I think it was a name like: sslnfs, ssl-nfs, nfs-ssl, nfsssl or secure-nfs It was packed as rpm and deb. Maybe I had downloaded it from http://www.linuxberg.com/ (tucows) Michelle >Cheers, >Cristian > > ## Get the Power of Debian/GNU-Linux ##
Re: Question on the safety sharing NFS with untrusted machines.
On Fri, 2 Aug 2002, Michelle Konzack wrote: > there is a Debian-Package ssl-nfs (or secure-nfs) in the Mirror... > It is much more save the all other trics with your Networks. And what mirror would that be? Any pointers? Cheers, Cristian
Re: Question on the safety sharing NFS with untrusted machines.
Hello, there is a Debian-Package ssl-nfs (or secure-nfs) in the Mirror... It is much more save the all other trics with your Networks. Michelle Am 13:07 25/07/02 -0500 hat Dast geschrieben: > >Hello all, >So my question is, is it safer to host the NFS from the DMZ and mount >remotely on machines in the internal network, or host the NFS from a >machine on the internal network and remotely mount in the DMZ? Or >does it matter? Any suggestions or pointers to relevant docs would be >greatly appreciated. Also, does anyone know what traffic, at minimum, >I need to allow to share NFS? > > ## Get the Power of Debian/GNU-Linux ##
Re: Question on the safety sharing NFS with untrusted machines.
> "cfy1" == cfy1 writes: cfy1> Hmm, I'll look into those filesystems. Are they supported in cfy1> stock Debian kernels and userland tools or do they require cfy1> extra patches? dunno about SFS. AFS is packaged, but requires some kernel modifications (IIRC it's just a kernel module) and a fair amount of setup. there are some good docs, including a Debian specific cheatsheet in the Debian package. even then, it is not easy to set up. also, while it's probably possible to get a stable configuration, I found that slight misconfiguration or ill-usage caused system lockups and crashes. -- joe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
On Thu, Jul 25, 2002 at 07:23:43PM -0700, Rick Moen wrote: > > Hmm, I'll look into those filesystems. Are they supported in stock > > Debian kernels and userland tools or do they require extra patches? > > I have no idea about Debian packaging. > > For SFS of Linux, you'll need your Linux system to have a kernel with > NFSv3 support included. Packaged in woody and sid, at least. Reasonably easy to set up, too. Not pam-aware, as best I can tell. However, that's not a critical failing. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
Quoting Dast ([EMAIL PROTECTED]): > Hmm, I'll look into those filesystems. Are they supported in stock > Debian kernels and userland tools or do they require extra patches? I have no idea about Debian packaging. For SFS of Linux, you'll need your Linux system to have a kernel with NFSv3 support included. http://www.fs.net/ AFS is a rather large topic, and I was hoping you were briefed about it already. It does require kernel support, and is _most definitely_ not recommended if you want a quick and easy solution. Sorry. -- Cheers, "Don't use Outlook. Outlook is really just a security Rick Moenhole with a small e-mail client attached to it." [EMAIL PROTECTED]-- Brian Trosko in r.a.sf.w.r-j -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
Rick Moen <[EMAIL PROTECTED]> writes: > Any chance you could use AFS or SFS for this, instead? As Mike Renfro > points out, you're creating an intermachine dependency between the > bastion host and the inside machine no matter how you do it, but at > least, with those, the mount and resource-access traffic is not as > exposed. Hmm, I'll look into those filesystems. Are they supported in stock Debian kernels and userland tools or do they require extra patches? -- --Dast "Practice allows me to receive information like faxes." Pharoahe Monch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
[EMAIL PROTECTED] (Lupe Christoph) writes: > If you don't have realtime requirements, you could rsync between > the two machines. The amount of data is many gigabytes, so I don't want to duplicate things and use twice the disk space. Otherwise that would be a fine solution. -- --Dast "Practice allows me to receive information like faxes." Pharoahe Monch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
Quoting Dast ([EMAIL PROTECTED]):
> My problem is, I need to have a network mount shared between a machine
> in the DMZ ("untrusted") and machines in the internal network.
> Hosting NFS on the ipmasq box is not an option for me.
Any chance you could use AFS or SFS for this, instead? As Mike Renfro
points out, you're creating an intermachine dependency between the
bastion host and the inside machine no matter how you do it, but at
least, with those, the mount and resource-access traffic is not as
exposed.
--
Cheers,"Linux means never having to delete your love mail."
Rick Moen -- Don Marti
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
On Thursday, 2002-07-25 at 14:51:09 -0500, Dast wrote: > Mike Renfro <[EMAIL PROTECTED]> writes: > > On Thu, Jul 25, 2002 at 01:07:19PM -0500, Dast wrote: > > > So my question is, is it safer to host the NFS from the DMZ and > > > mount remotely on machines in the internal network, or host the NFS > > > from a machine on the internal network and remotely mount in the > > > DMZ? Or does it matter? > > I suppose it depends on what sort of activity you need to do over the > > NFS mount. > Thanks for the feedback. That certainly gives me something to chew > on. > The mount will be just bulk file storage. I haven't decided if the > machine in the DMZ needs read/write or just read access, however. > Everything on that mount should be publicly accessible to all users, > so in terms of one user getting another's files, that isn't an issue. If you don't have realtime requirements, you could rsync between the two machines. HTH, Lupe CHristoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
Mike Renfro <[EMAIL PROTECTED]> writes: > On Thu, Jul 25, 2002 at 01:07:19PM -0500, Dast wrote: > > > So my question is, is it safer to host the NFS from the DMZ and > > mount remotely on machines in the internal network, or host the NFS > > from a machine on the internal network and remotely mount in the > > DMZ? Or does it matter? > > I suppose it depends on what sort of activity you need to do over the > NFS mount. Thanks for the feedback. That certainly gives me something to chew on. The mount will be just bulk file storage. I haven't decided if the machine in the DMZ needs read/write or just read access, however. Everything on that mount should be publicly accessible to all users, so in terms of one user getting another's files, that isn't an issue. -- --Dast "Practice allows me to receive information like faxes." Pharoahe Monch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on the safety sharing NFS with untrusted machines.
On Thu, Jul 25, 2002 at 01:07:19PM -0500, Dast wrote: > So my question is, is it safer to host the NFS from the DMZ and > mount remotely on machines in the internal network, or host the NFS > from a machine on the internal network and remotely mount in the > DMZ? Or does it matter? I suppose it depends on what sort of activity you need to do over the NFS mount. Whoever gets root on an NFS client effectively gets access to both root-owned and user-owned files on the NFS share, whether directly or via su. Whoever gets root on the NFS server can obviously mess with the clients pretty heavily. With a non-compromised server in the internal network, you do have the options to share the NFS area read-only, and/or squash root access to be identical to some unpriveleged user. So if the need for NFS access is something along the lines of needing access to files in people's public_html directories for web serving, I'd put the NFS server on the internal network, share out /home as read-only and let each user manage their permissions in the public_html directory. Perhaps a better solution would be to put all user web files into a single tree outside their home, and only share that area. Having no idea what you intend to do with the NFS mount, I'll refrain from further examples. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Question on the safety sharing NFS with untrusted machines.
Hello all,
I'm looking at re-arranging my network, which currently consists of an
ipmasq box with 3 nics, one going to the outside, one going to a DMZ,
and one going to an internal network. The masq box allows a few
services into machines in the DMZ, restricts the DMZ from getting
outside except in response to incoming requests, allows one machine in
the internal network to ssh into machines in the DMZ, and otherwise
disallows the DMZ machines to get into the internal network.
My problem is, I need to have a network mount shared between a machine
in the DMZ ("untrusted") and machines in the internal network.
Hosting NFS on the ipmasq box is not an option for me.
So my question is, is it safer to host the NFS from the DMZ and mount
remotely on machines in the internal network, or host the NFS from a
machine on the internal network and remotely mount in the DMZ? Or
does it matter? Any suggestions or pointers to relevant docs would be
greatly appreciated. Also, does anyone know what traffic, at minimum,
I need to allow to share NFS?
--
--Dast
"Practice allows me to receive information like faxes."
Pharoahe Monch
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
