From owner-freebsd-security Mon Jun 18 8:10:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.amigo.net (smtp1.amigo.net [209.94.64.30]) by hub.freebsd.org (Postfix) with ESMTP id 39A6837B406; Mon, 18 Jun 2001 08:10:22 -0700 (PDT) (envelope-from randys@amigo.net) Received: from amigo.net (billing.amigo.net [209.94.67.250]) by smtp1.amigo.net (8.11.2/8.11.2) with ESMTP id f5IFBJ496711; Mon, 18 Jun 2001 09:11:19 -0600 (MDT) (envelope-from randys@amigo.net) Message-ID: <3B2E19E9.9020100@amigo.net> Date: Mon, 18 Jun 2001 09:10:33 -0600 From: Randy Smith Organization: Amigo.Net User-Agent: Mozilla/5.0 (X11; U; FreeBSD 4.3-STABLE i386; en-US; rv:0.9.1+) Gecko/20010525 X-Accept-Language: en-us MIME-Version: 1.0 To: anderson@centtech.com Cc: freebsd-isp , freebsd-security Subject: Re: Require IPsec for NFS References: <3B2E10A1.5000302@amigo.net> <3B2E14DA.C2819177@centtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson wrote: > When adding your spd's, you can restrict to port numbers and ip > addresses. > Check out 'man setkey, and look for 'dst_range'. That should get you > started. I'm currently setup to encrypt all traffic between the two hosts. I want to make sure that if a cracker gets past the protection from hosts.allow, he still has to deal with the IPsec to hijack/screw with the connection. Thanks for the response. Randy > > Eric > > > Randy Smith wrote: > >>Hi all, >> >>I have a server that I want to mirror. I'm using NFS to connect the >>primary server to the mirror. The mirror is the NFS server and the >>primary server is the only IP address allowd to connect to portmap in >>/etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I >>have IPsec setup between the hosts to authenticate the packets. That >>seems to prevent IP spoofing. >> >>I want to know if it is possible to require all NFS connections to use >>IPsec or will this setup a reasonable way to protect NFS? >> >>-- >>Randy Smith >>Amigo.Net Systems Administrator >>1-719-589-6100 x 4185 >>http://www.amigo.net/ >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message