From owner-freebsd-fs@FreeBSD.ORG  Mon Sep  8 07:21:50 2008
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 580341065673;
	Mon,  8 Sep 2008 07:21:50 +0000 (UTC) (envelope-from marck@rinet.ru)
Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68])
	by mx1.freebsd.org (Postfix) with ESMTP id B4AAE8FC30;
	Mon,  8 Sep 2008 07:21:49 +0000 (UTC) (envelope-from marck@rinet.ru)
Received: from localhost (localhost [127.0.0.1])
	by woozle.rinet.ru (8.14.2/8.14.2) with ESMTP id m887LmC1021913;
	Mon, 8 Sep 2008 11:21:48 +0400 (MSD) (envelope-from marck@rinet.ru)
Date: Mon, 8 Sep 2008 11:21:48 +0400 (MSD)
From: Dmitry Morozovsky <marck@rinet.ru>
To: Jeremy Chadwick <koitsu@freebsd.org>
In-Reply-To: <20080907233637.GA51889@icarus.home.lan>
Message-ID: <alpine.BSF.2.00.0809081112410.53906@woozle.rinet.ru>
References: <alpine.BSF.2.00.0809071836130.76180@woozle.rinet.ru>
	<20080907220104.GA26094@icarus.home.lan>
	<alpine.BSF.2.00.0809080237580.53906@woozle.rinet.ru>
	<20080907233637.GA51889@icarus.home.lan>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
X-NCC-RegID: ru.rinet
X-OpenPGP-Key-ID: 6B691B03
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0
	(woozle.rinet.ru [0.0.0.0]); Mon, 08 Sep 2008 11:21:48 +0400 (MSD)
Cc: freebsd-fs@freebsd.org, Pawel Jakub Dawidek <pjd@freebsd.org>
Subject: Re: ZFS filesystem: export for more than one subnet
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2008 07:21:50 -0000

On Sun, 7 Sep 2008, Jeremy Chadwick wrote:

JC> That said, what happens if you edit /etc/zfs/exports by hand, then run
JC> "zfs list -o sharenfs"?  Does it show the changes you put in place?  If
JC> so, then great -- it means there's two ways a person can edit the
JC> NFS-exported ZFS shares (by editing the file directly, or using "zfs").

Nope, ZFS does not track /etc/zfs/export, hence "Do not edit!" comment in it.

JC> Does the below work?
JC> 
JC> # zfs set sharenfs="ro,network=aaa/xx,network=bbb/yy,network=ccc/zz" some_fs
JC> 
JC> If not (e.g. mountd rejects it, or only the first network is used), then
JC> this would indicate a problem with the exports file syntax / problem
JC> with mountd, and not with ZFS.

It is of course FreeBSD' mountd problem (more than it does not understand CIDR 
slashed notation):

marck@beaver:~# cat /etc/zfs/exports
# !!! DO NOT EDIT THIS FILE MANUALLY !!!

/FreeBSD        -ro -alldirs -network 195.54.192.0 -mask 255.255.255.192
255.255.255.192
marck@beaver:~# zfs get sharenfs bv/FreeBSD
NAME        PROPERTY  VALUE                                                     SOURCE
bv/FreeBSD  sharenfs  -ro -alldirs -network 195.54.192.0 -mask 255.255.255.192  local
marck@beaver:~# zfs set sharenfs="ro,alldirs,network=195.54.192.0/26,192.168.39.0/24" bv/FreeBSD
marck@beaver:~# zfs get sharenfs bv/FreeBSD
NAME        PROPERTY  VALUE                                               SOURCE
bv/FreeBSD  sharenfs  ro,alldirs,network=195.54.192.0/26,192.168.39.0/24  local


Sep  8 11:18:18 beaver mountd[25992]: can't get address info for host 192.168.39.0/24
Sep  8 11:18:18 beaver mountd[25992]: bad host 192.168.39.0/24, skipping
Sep  8 11:18:18 beaver mountd[25992]: network/host conflict
Sep  8 11:18:18 beaver mountd[25992]: bad exports list line /FreeBSD    -ro -alldirs -network


JC> > I would prefer to do both ;) Oh, and hosts.allow possibly too... Or, would it 
JC> > be too inefficient?
JC> 
JC> There is absolutely no reason to do both.  Packets arriving on the
JC> network will hit the pf stack before ever reaching mountd, which is
JC> perfect, and a good security model.
JC> 
JC> Additionally, libwrap (hosts.allow/deny) is a travesty, and should be
JC> nuked from the face of the planet.  It provides a false sense of
JC> security -- it doesn't stop someone (anyone!) from being able to
JC> actually connect to that TCP port (or in the case of UDP, I believe a
JC> deny/rejection will actually send back a packet of some kind), which
JC> means people will then know you've got (rpcbind|mountd|ftpd|whatever)
JC> running, which gives an attacker/hacker significant hints about what
JC> your system is running, and more ammunition.

Well, all there actually make sense.  Thanks, I'll think about it a little bit 
more.

Sincerely,
D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
[ FreeBSD committer:                                 marck@FreeBSD.org ]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------