From owner-freebsd-net@FreeBSD.ORG Mon Jul 28 22:47:34 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FB0DA7E for ; Mon, 28 Jul 2014 22:47:34 +0000 (UTC) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id DC68E2F28 for ; Mon, 28 Jul 2014 22:47:33 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ArUEAE7R1lODaFve/2dsb2JhbABZg2BXBIJ0yQ4KhnhTAYEnd4QDAQEBAwEBAQEgKyALBRYYAgINGQIpAQkmBggHBAEcBIgZCA2nCpc7F4EsjU8BARs0B4J5gVEFmFuEQ5J6g2UhLweBBTk X-IronPort-AV: E=Sophos;i="5.01,752,1400040000"; d="scan'208";a="144057329" Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.222]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 28 Jul 2014 18:47:26 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id BEB2879294; Mon, 28 Jul 2014 18:47:26 -0400 (EDT) Date: Mon, 28 Jul 2014 18:47:26 -0400 (EDT) From: Rick Macklem To: "Russell L. Carter" Message-ID: <1817833305.4592918.1406587646770.JavaMail.root@uoguelph.ca> In-Reply-To: <53D6ACD6.2030204@pinyon.org> Subject: Re: nfsd spam in /var/log/messages MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.203] X-Mailer: Zimbra 7.2.6_GA_2926 (ZimbraWebClient - FF3.0 (Win)/7.2.6_GA_2926) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 22:47:34 -0000 Russell L. Carter wrote: > > > On 07/28/14 05:55, Rick Macklem wrote: > > > Assuming /export is one file system on the server, put all > > the exports in a single entry, something like: > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > /export/usr/src /export/usr/obj /export/usr/ports /export/packages > > /export/library -maproot=root > > > > OR you can just allow the clients to mount any location > > within the server file system using -alldirs like: > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > /export -alldirs -maproot=root > > > > At least I think I got this correct;-) rick > > Then it would seem that that it is not possible to do per-host > filesystem access control from a single server. Is that true? > Yes, you can. Each line must be unique w.r.t. the tuple of . When there are multiple directories within a file system that needs to be mounted by a given host (or subnet), those must be specified in a single entry. > The larger project I am working on intermittently is to see if I can > work out a way to secure NFSv4 so that the net transport is encrypted > (via ssh|spiped tunnel, perhaps) and the server has per host (per > user > would be better) filesystem access control, WITHOUT kerberos. Maybe > ACLs? I have looked into ACLs but they don't look very promising for > multiple platform support. > On my "someday" list is trying to figure out how to allow a mount to work over IPsec, but I've never done it (and don't actually know if it is currently possible, although I suspect the answer is no). ACLs allow finer grained access control to a file, but still use whatever authentication is being used (auth_sys is just a uid# and list of gid#s vs Kerberos, which authenticates a kerberos principal). rick > Thanks, > Russell > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to > "freebsd-net-unsubscribe@freebsd.org" >