From owner-freebsd-net@FreeBSD.ORG Tue Jul 29 18:21:36 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A67A01D9 for ; Tue, 29 Jul 2014 18:21:36 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6500F21F2 for ; Tue, 29 Jul 2014 18:21:36 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s6TILZn6093997 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jul 2014 11:21:35 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s6TILYCt093995; Tue, 29 Jul 2014 11:21:34 -0700 (PDT) (envelope-from jmg) Date: Tue, 29 Jul 2014 11:21:34 -0700 From: John-Mark Gurney To: Rick Macklem Subject: Re: nfsd spam in /var/log/messages Message-ID: <20140729182134.GA43962@funkthat.com> Mail-Followup-To: Rick Macklem , "Russell L. Carter" , freebsd-net@freebsd.org References: <53D6ACD6.2030204@pinyon.org> <1817833305.4592918.1406587646770.JavaMail.root@uoguelph.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1817833305.4592918.1406587646770.JavaMail.root@uoguelph.ca> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Tue, 29 Jul 2014 11:21:35 -0700 (PDT) Cc: "Russell L. Carter" , freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 18:21:36 -0000 Rick Macklem wrote this message on Mon, Jul 28, 2014 at 18:47 -0400: > Russell L. Carter wrote: > > On 07/28/14 05:55, Rick Macklem wrote: > > > > > Assuming /export is one file system on the server, put all > > > the exports in a single entry, something like: > > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > > /export/usr/src /export/usr/obj /export/usr/ports /export/packages > > > /export/library -maproot=root > > > > > > OR you can just allow the clients to mount any location > > > within the server file system using -alldirs like: > > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > > /export -alldirs -maproot=root > > > > > > At least I think I got this correct;-) rick > > > > Then it would seem that that it is not possible to do per-host > > filesystem access control from a single server. Is that true? > > > Yes, you can. Each line must be unique w.r.t. the tuple of > . > > When there are multiple directories within a file system that > needs to be mounted by a given host (or subnet), those must be > specified in a single entry. You know.. mountd really should grow the smarts to handle this, and warn if the various settings for the fs don't match between lines... i.e. union the lines as long as they match... Could be a good project for someone(tm)... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."