Date: Thu, 08 Jan 1998 13:40:25 +0000 From: Karl Pielorz <kpielorz@tdx.co.uk> To: questions@freebsd.org Cc: ips@freebsd.org Subject: Secure? NFS - Whole can of worms no doubt... Message-ID: <34B4D749.3AF7A03D@tdx.co.uk>
next in thread | raw e-mail | index | archive | help
A quick question, with I'm going to guess not a simple answer... I have 2 FreeBSD 2.2.2-RELEASE machines, both running as NFS servers / clients - and I want to lock down the traffic between them, so that NFS is a 'little' more secure than it is at the moment... I say 'little' - because knowing NFS 'little' is probably as good as it gets... I have my rc.conf set-up as: amd_enable="NO" # Run amd service with $amd_flags (or NO). amd_flags="-a /net -c 1800 -k i386 -d my.domain -l syslog /host /etc/amd.map" nfs_client_enable="YES" # This host is an NFS client (or NO). nfs_server_enable="YES" # This host is an NFS server (or NO). weak_mountd_authentication="NO" # Running PCNFSD / other non-root nfsd (or NO). nfs_reserved_port_only="YES" # Provide NFS only on secure port (or NO). rpc_lockd_enable="NO" # Run NFS rpc.lockd (*broken!*) if nfs_server. rpc_statd_enable="NO" # Run NFS rpc.statd if nfs_server (or NO). portmap_enable="YES" # Run the portmapper service (or NO). portmap_flags="-v" # Flags to portmap (if enabled). My questions are: 1. I want to run NFS over TCP only (at the moment it's all done with UDP) - as I can secure it more that way. What switches / modifications do I need on the machines? (I think only NFS v3 will run that way - but I don't mind running V3 on both machines). 2. When I am running NFS over TCP - which ports are going to be used for all this? (This is not a trick question - I know portmapper will be ultimately responsible for handling this - but by my reckoning, portmapper lives on port 111? - and NFS (when running on a 'secure port' will run on port 2049 - What else is there that would be needed?) 3. When running NFS in secure mode, and over TCP - I presume clients will still use UDP to talk to portmapper? 4. What does rpc.statd do? - Is not running this responsible for the way my machines hang aimlessly on things like 'df' if one of the pair gets rebooted (and comes up serving NFS again - but presumably to clients that don't know it's been reset / got new handles etc.?) Any help always appreciated, Regards, Karl Pielorz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34B4D749.3AF7A03D>