Date: Mon, 8 Sep 2008 11:21:48 +0400 (MSD) From: Dmitry Morozovsky <marck@rinet.ru> To: Jeremy Chadwick <koitsu@freebsd.org> Cc: freebsd-fs@freebsd.org, Pawel Jakub Dawidek <pjd@freebsd.org> Subject: Re: ZFS filesystem: export for more than one subnet Message-ID: <alpine.BSF.2.00.0809081112410.53906@woozle.rinet.ru> In-Reply-To: <20080907233637.GA51889@icarus.home.lan> References: <alpine.BSF.2.00.0809071836130.76180@woozle.rinet.ru> <20080907220104.GA26094@icarus.home.lan> <alpine.BSF.2.00.0809080237580.53906@woozle.rinet.ru> <20080907233637.GA51889@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 7 Sep 2008, Jeremy Chadwick wrote: JC> That said, what happens if you edit /etc/zfs/exports by hand, then run JC> "zfs list -o sharenfs"? Does it show the changes you put in place? If JC> so, then great -- it means there's two ways a person can edit the JC> NFS-exported ZFS shares (by editing the file directly, or using "zfs"). Nope, ZFS does not track /etc/zfs/export, hence "Do not edit!" comment in it. JC> Does the below work? JC> JC> # zfs set sharenfs="ro,network=aaa/xx,network=bbb/yy,network=ccc/zz" some_fs JC> JC> If not (e.g. mountd rejects it, or only the first network is used), then JC> this would indicate a problem with the exports file syntax / problem JC> with mountd, and not with ZFS. It is of course FreeBSD' mountd problem (more than it does not understand CIDR slashed notation): marck@beaver:~# cat /etc/zfs/exports # !!! DO NOT EDIT THIS FILE MANUALLY !!! /FreeBSD -ro -alldirs -network 195.54.192.0 -mask 255.255.255.192 255.255.255.192 marck@beaver:~# zfs get sharenfs bv/FreeBSD NAME PROPERTY VALUE SOURCE bv/FreeBSD sharenfs -ro -alldirs -network 195.54.192.0 -mask 255.255.255.192 local marck@beaver:~# zfs set sharenfs="ro,alldirs,network=195.54.192.0/26,192.168.39.0/24" bv/FreeBSD marck@beaver:~# zfs get sharenfs bv/FreeBSD NAME PROPERTY VALUE SOURCE bv/FreeBSD sharenfs ro,alldirs,network=195.54.192.0/26,192.168.39.0/24 local Sep 8 11:18:18 beaver mountd[25992]: can't get address info for host 192.168.39.0/24 Sep 8 11:18:18 beaver mountd[25992]: bad host 192.168.39.0/24, skipping Sep 8 11:18:18 beaver mountd[25992]: network/host conflict Sep 8 11:18:18 beaver mountd[25992]: bad exports list line /FreeBSD -ro -alldirs -network JC> > I would prefer to do both ;) Oh, and hosts.allow possibly too... Or, would it JC> > be too inefficient? JC> JC> There is absolutely no reason to do both. Packets arriving on the JC> network will hit the pf stack before ever reaching mountd, which is JC> perfect, and a good security model. JC> JC> Additionally, libwrap (hosts.allow/deny) is a travesty, and should be JC> nuked from the face of the planet. It provides a false sense of JC> security -- it doesn't stop someone (anyone!) from being able to JC> actually connect to that TCP port (or in the case of UDP, I believe a JC> deny/rejection will actually send back a packet of some kind), which JC> means people will then know you've got (rpcbind|mountd|ftpd|whatever) JC> running, which gives an attacker/hacker significant hints about what JC> your system is running, and more ammunition. Well, all there actually make sense. Thanks, I'll think about it a little bit more. Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0809081112410.53906>