From owner-freebsd-net@FreeBSD.ORG Tue Jul 29 20:34:12 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D6228D76 for ; Tue, 29 Jul 2014 20:34:12 +0000 (UTC) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9DDD7219B for ; Tue, 29 Jul 2014 20:34:12 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqIEANsD2FODaFve/2dsb2JhbABXA4Q7gnTNLIMcAYEod4QEAQUjVhsYAgINGQJZBohVqACXQxeBLI1sJBAHEYJogVEFlysHmGuDZSGBdA X-IronPort-AV: E=Sophos;i="5.01,759,1400040000"; d="scan'208";a="144249128" Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.222]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 29 Jul 2014 16:34:10 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id BBDC0B40C9; Tue, 29 Jul 2014 16:34:10 -0400 (EDT) Date: Tue, 29 Jul 2014 16:34:10 -0400 (EDT) From: Rick Macklem To: John-Mark Gurney Message-ID: <1627097637.4992011.1406666050759.JavaMail.root@uoguelph.ca> In-Reply-To: <20140729182134.GA43962@funkthat.com> Subject: Re: nfsd spam in /var/log/messages MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.201] X-Mailer: Zimbra 7.2.6_GA_2926 (ZimbraWebClient - FF3.0 (Win)/7.2.6_GA_2926) Cc: "Russell L. Carter" , freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 20:34:12 -0000 John-Mark Gurney wrote: > Rick Macklem wrote this message on Mon, Jul 28, 2014 at 18:47 -0400: > > Russell L. Carter wrote: > > > On 07/28/14 05:55, Rick Macklem wrote: > > > > > > > Assuming /export is one file system on the server, put all > > > > the exports in a single entry, something like: > > > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > > > /export/usr/src /export/usr/obj /export/usr/ports > > > > /export/packages > > > > /export/library -maproot=root > > > > > > > > OR you can just allow the clients to mount any location > > > > within the server file system using -alldirs like: > > > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > > > /export -alldirs -maproot=root > > > > > > > > At least I think I got this correct;-) rick > > > > > > Then it would seem that that it is not possible to do per-host > > > filesystem access control from a single server. Is that true? > > > > > Yes, you can. Each line must be unique w.r.t. the tuple of > > . > > > > When there are multiple directories within a file system that > > needs to be mounted by a given host (or subnet), those must be > > specified in a single entry. > > You know.. mountd really should grow the smarts to handle this, and > warn if the various settings for the fs don't match between lines... > > i.e. union the lines as long as they match... > > Could be a good project for someone(tm)... > Yep. Of course, once they take a look at the really old, very ugly mountd.c, they may change their minds. I, for one, am not volunteering;-) Btw, there was a somewhat non-backwards compatible utility called nfse, but the author has withdrawn his support, so I am not sure what state the sources are in. rick > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." >