Date: Mon, 18 Jun 2001 09:00:10 -0600 From: Randy Smith <randys@amigo.net> To: Paul Khavkine <paul@colba.net> Cc: freebsd-isp <freebsd-isp@freebsd.org> Subject: Re: Require IPsec for NFS Message-ID: <3B2E177A.3000908@amigo.net> References: <3B2E10A1.5000302@amigo.net> <3B2E4C00.C9288AEC@colba.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Khavkine wrote: > You'll have to probably use IPSec for all traffic between the 2 boxen. > Check out this HOWTO: I have that setup already. I re-read my first post and I left out some info so let me clarify a bit. I want to make sure that if a remote (possibly unknown) machine tries to make an NFS connection, it must do it over IPsec. Pormmap "should" refuse connections from all but the specified IP but if that is spoofed (or otherwise compromized), I want to make sure that the connection must use IPsec to authenticate the connection, etc. (You know, all the good things that IPsec is supposed to do.) Thanks for the help. Randy > > http://ezine.daemonnews.org/200101/ipsec-howto.html ps . As an aside, I went right to the Handbook (Chpt 8.9) for docs on IPsec. > > Cheers > Paul > > > Randy Smith wrote: > > >>Hi all, >> >>I have a server that I want to mirror. I'm using NFS to connect the >>primary server to the mirror. The mirror is the NFS server and the >>primary server is the only IP address allowd to connect to portmap in >>/etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I >>have IPsec setup between the hosts to authenticate the packets. That >>seems to prevent IP spoofing. >> >>I want to know if it is possible to require all NFS connections to use >>IPsec or will this setup a reasonable way to protect NFS? >> >>-- >>Randy Smith >>Amigo.Net Systems Administrator >>1-719-589-6100 x 4185 >>http://www.amigo.net/ >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-isp" in the body of the message >> > > -- > ************************************************* > Paul Khavkine > Network Administrator > Distributel Communications > 740 Notre Dame West, Suite 1135 > Montreal, Quebec, Canada, H3C 3X6 > 1-514-877-0064 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B2E177A.3000908>