Date: Fri, 9 Feb 2001 11:30:28 +0100 (CET) From: Gerald Pfeifer <pfeifer@dbai.tuwien.ac.at> To: <freebsd-security@freebsd.org> Cc: Alfred Perlstein <bright@wintelcom.net>, Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, <admin@dbai.tuwien.ac.at> Subject: Re: nfsd lacks support for tcp_wrapper Message-ID: <Pine.BSF.4.33.0102091125000.59792-100000@deneb.dbai.tuwien.ac.at> In-Reply-To: <200101310138.UAA58984@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 Jan 2001, Alfred Perlstein wrote: >> Or are we just missing something? > Missing the fact that nfsd is an in-kernel process and therefore > pretty hard to link against libwrap. Hard, or impossible? ;-) > Otherwise... i dunno, use ipfw? :) Well, we could do that. But it really would be nice to have *one* place to configure such services. Logically (I realize that it's not easy to implement), I don't see why nfsd shouldn't honor /etc/hosts.allow. On Tue, 30 Jan 2001, Garrett Wollman wrote: > A good deal, since NFS has access-control at a higher level built in > to the kernel. mountd will do the right magic to tell the kernel what > your access-control list is. Well, we're also using that, but this doesn't prevent non-authorized clients to access the NFS port in the first place. And in case that at some point we forget to configure some specific mount correctly security-wise, that would be a second line of defense. And having multiple lines of defense seems like a good idea. :-) Gerald -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0102091125000.59792-100000>