From owner-freebsd-questions  Wed Nov  3 11:42:15 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7364E1558B; Wed,  3 Nov 1999 11:42:10 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id LAA61182;
	Wed, 3 Nov 1999 11:40:39 -0800 (PST)
	(envelope-from dillon)
Date: Wed, 3 Nov 1999 11:40:39 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199911031940.LAA61182@apollo.backplane.com>
To: "Juan Lorenzana" <lorenzaj@agcs.com>
Cc: hackers@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG,
	lorenzaj@agcs.com
Subject: Re: nfs cookie spoofing patch
References:  <38208DDC.297EE98B@agcs.com>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


:I was wondering if I could get some help.
:
:I am running a FreeBSD 2.2.8 machine configured as a nfs server.  We are
:trying to get another machine running 2.2.8 to mount from the nfs
:server.  Our challenge is that we are using a virtual ip and would like
:to mount the virtual ip.  We are already doing this with SCO unix as
:well as Sun Solaris.  The problem is that when I type
:
:mount -t argonnfs:/u /u
:(I have also tried with -o -i,-s,-r=1024,-w=1024 options and all
:permutation of the options, including mount_nfs -T)
:
:I'll hang waiting for the request to time out.  After extensive trouble
:shooting, I think it is because of the "security feature" to prevent NFS
:cookie spoofing based attacks.  Basically, there is an nfs check that
:will not allow freebsd nfs client to request an nfs mount and have the
:machine where the nfs request is being made to reply with its real ip

    The problem is due to the NFS server responding to the NFS client's
    request using a different IP address.  The NFS client is expecting the
    response from the same IP that it sent the request too.

    The bug is on the server-side, not really the client side.  Many people
    have been bitten by this problem and it would be cool if someone submitted
    a patch to fix it.  I will get to it eventually but I'm kinda tied up
    at the moment.

    It would be a severe security hole to allow the client to process 
    responses from a different IP address then the request was sent to.

						-Matt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message