From owner-freebsd-questions Thu Jan 8 05:35:36 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA15186 for questions-outgoing; Thu, 8 Jan 1998 05:35:36 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA15175; Thu, 8 Jan 1998 05:35:26 -0800 (PST) (envelope-from kpielorz@tdx.co.uk) Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242]) by caladan.tdx.co.uk (8.8.5/8.8.5) with ESMTP id NAA10266; Thu, 8 Jan 1998 13:14:35 GMT Message-ID: <34B4D749.3AF7A03D@tdx.co.uk> Date: Thu, 08 Jan 1998 13:40:25 +0000 From: Karl Pielorz Organization: TDX X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: questions@freebsd.org CC: ips@freebsd.org Subject: Secure? NFS - Whole can of worms no doubt... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk A quick question, with I'm going to guess not a simple answer... I have 2 FreeBSD 2.2.2-RELEASE machines, both running as NFS servers / clients - and I want to lock down the traffic between them, so that NFS is a 'little' more secure than it is at the moment... I say 'little' - because knowing NFS 'little' is probably as good as it gets... I have my rc.conf set-up as: amd_enable="NO" # Run amd service with $amd_flags (or NO). amd_flags="-a /net -c 1800 -k i386 -d my.domain -l syslog /host /etc/amd.map" nfs_client_enable="YES" # This host is an NFS client (or NO). nfs_server_enable="YES" # This host is an NFS server (or NO). weak_mountd_authentication="NO" # Running PCNFSD / other non-root nfsd (or NO). nfs_reserved_port_only="YES" # Provide NFS only on secure port (or NO). rpc_lockd_enable="NO" # Run NFS rpc.lockd (*broken!*) if nfs_server. rpc_statd_enable="NO" # Run NFS rpc.statd if nfs_server (or NO). portmap_enable="YES" # Run the portmapper service (or NO). portmap_flags="-v" # Flags to portmap (if enabled). My questions are: 1. I want to run NFS over TCP only (at the moment it's all done with UDP) - as I can secure it more that way. What switches / modifications do I need on the machines? (I think only NFS v3 will run that way - but I don't mind running V3 on both machines). 2. When I am running NFS over TCP - which ports are going to be used for all this? (This is not a trick question - I know portmapper will be ultimately responsible for handling this - but by my reckoning, portmapper lives on port 111? - and NFS (when running on a 'secure port' will run on port 2049 - What else is there that would be needed?) 3. When running NFS in secure mode, and over TCP - I presume clients will still use UDP to talk to portmapper? 4. What does rpc.statd do? - Is not running this responsible for the way my machines hang aimlessly on things like 'df' if one of the pair gets rebooted (and comes up serving NFS again - but presumably to clients that don't know it's been reset / got new handles etc.?) Any help always appreciated, Regards, Karl Pielorz