From owner-freebsd-security Fri Feb 9 2:30:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 53B3D37B401 for ; Fri, 9 Feb 2001 02:30:34 -0800 (PST) Received: from deneb (deneb [128.130.111.2]) by vexpert.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f19AUTe22801; Fri, 9 Feb 2001 11:30:29 +0100 (MET) Date: Fri, 9 Feb 2001 11:30:28 +0100 (CET) From: Gerald Pfeifer To: Cc: Alfred Perlstein , Garrett Wollman , Subject: Re: nfsd lacks support for tcp_wrapper In-Reply-To: <200101310138.UAA58984@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jan 2001, Alfred Perlstein wrote: >> Or are we just missing something? > Missing the fact that nfsd is an in-kernel process and therefore > pretty hard to link against libwrap. Hard, or impossible? ;-) > Otherwise... i dunno, use ipfw? :) Well, we could do that. But it really would be nice to have *one* place to configure such services. Logically (I realize that it's not easy to implement), I don't see why nfsd shouldn't honor /etc/hosts.allow. On Tue, 30 Jan 2001, Garrett Wollman wrote: > A good deal, since NFS has access-control at a higher level built in > to the kernel. mountd will do the right magic to tell the kernel what > your access-control list is. Well, we're also using that, but this doesn't prevent non-authorized clients to access the NFS port in the first place. And in case that at some point we forget to configure some specific mount correctly security-wise, that would be a second line of defense. And having multiple lines of defense seems like a good idea. :-) Gerald -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message