From owner-freebsd-fs@FreeBSD.ORG Sun Sep 7 23:36:40 2008 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37AEC106567A for ; Sun, 7 Sep 2008 23:36:40 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA09.emeryville.ca.mail.comcast.net (qmta09.emeryville.ca.mail.comcast.net [76.96.30.96]) by mx1.freebsd.org (Postfix) with ESMTP id 0BDD08FC15 for ; Sun, 7 Sep 2008 23:36:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA11.emeryville.ca.mail.comcast.net ([76.96.30.36]) by QMTA09.emeryville.ca.mail.comcast.net with comcast id Bn5A1a0070mlR8UA9zcfDX; Sun, 07 Sep 2008 23:36:39 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA11.emeryville.ca.mail.comcast.net with comcast id Bzcd1a0054v8bD78XzcdXG; Sun, 07 Sep 2008 23:36:37 +0000 X-Authority-Analysis: v=1.0 c=1 a=_xSQw29cvt0A:10 a=mtup3TuceYcA:10 a=6I5d2MoRAAAA:8 a=QycZ5dHgAAAA:8 a=jKem1x4PJD2K3_lIUQsA:9 a=N--hJpdv3fJlx6R3b5CcVKkyEGwA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 19B8F17B84E; Sun, 7 Sep 2008 16:36:37 -0700 (PDT) Date: Sun, 7 Sep 2008 16:36:37 -0700 From: Jeremy Chadwick To: Dmitry Morozovsky Message-ID: <20080907233637.GA51889@icarus.home.lan> References: <20080907220104.GA26094@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-fs@freebsd.org, Pawel Jakub Dawidek Subject: Re: ZFS filesystem: export for more than one subnet X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 23:36:40 -0000 On Mon, Sep 08, 2008 at 02:43:03AM +0400, Dmitry Morozovsky wrote: > On Sun, 7 Sep 2008, Jeremy Chadwick wrote: > > JC> > is there any way so one can export ZFS file system to more than one net? > JC> > > JC> > in classic NFS I would use more than one line in /etc/exports -- how can I > JC> > express such behaviour in zfs properties? > JC> > JC> Didn't you inadvertently ask this same question 6 months ago? :-) > JC> > JC> http://lists.freebsd.org/pipermail/freebsd-current/2008-March/084079.html > > Well, not exactly - that time I did not bump into different destination problem > ;) > > JC> I believe if 'sharenfs=off' (the default), you can manage NFS mounts via > JC> /etc/exports like normal. Ideally, you should (?) be able to use > JC> multiple "-network xxx/netmask" entries on the same export line. > > Hmm, that would do the trick; however, it seems to me that ZFS file system > properties should be producet from the single source. I interpret this to mean "there should be only one export(5) file used". That would be something to take up with pjd@, but I'm willing to bet that behaviour is not going to change. There is probably a good reason why /etc/zfs/exports exists. That said, what happens if you edit /etc/zfs/exports by hand, then run "zfs list -o sharenfs"? Does it show the changes you put in place? If so, then great -- it means there's two ways a person can edit the NFS-exported ZFS shares (by editing the file directly, or using "zfs"). > JC> If you absolutely must do it via the 'zfs' command, according to pjd@'s > JC> EuroBSDCon presentation, this should work: > JC> > JC> # /etc/rc.d/mountd start > JC> # zfs set sharenfs="ro,network=x.x.x.x,mask=y.y.y.y" some_fs > JC> # /etc/rc.d/mountd reload > > Well, this configures only one network per file system, isn't it? BTW, mountd > will be reloaded by zfs automagically (and, as Kris bumps ito it, it would > create a problem with race hole of inaccessible NFS mounts while mountd reloads > the list) Does the below work? # zfs set sharenfs="ro,network=aaa/xx,network=bbb/yy,network=ccc/zz" some_fs If not (e.g. mountd rejects it, or only the first network is used), then this would indicate a problem with the exports file syntax / problem with mountd, and not with ZFS. Solaris solves all of this, AFAIK, by having a central command that manages the export list: share(1). "zfs" on Solaris even calls this. BSD does not have this utility. > JC> However, I'd advocate you consider running pf on the machine running > JC> mountd instead, and use an actual firewall to block who can talk to > JC> mountd on the machine exporting the shares. > > I would prefer to do both ;) Oh, and hosts.allow possibly too... Or, would it > be too inefficient? There is absolutely no reason to do both. Packets arriving on the network will hit the pf stack before ever reaching mountd, which is perfect, and a good security model. Additionally, libwrap (hosts.allow/deny) is a travesty, and should be nuked from the face of the planet. It provides a false sense of security -- it doesn't stop someone (anyone!) from being able to actually connect to that TCP port (or in the case of UDP, I believe a deny/rejection will actually send back a packet of some kind), which means people will then know you've got (rpcbind|mountd|ftpd|whatever) running, which gives an attacker/hacker significant hints about what your system is running, and more ammunition. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |