From owner-freebsd-security  Tue Jan 30 17:26:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id 2471737B69F
	for <freebsd-security@FreeBSD.ORG>; Tue, 30 Jan 2001 17:26:22 -0800 (PST)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id f0V1QIr16622;
	Tue, 30 Jan 2001 17:26:18 -0800 (PST)
Date: Tue, 30 Jan 2001 17:26:18 -0800
From: Alfred Perlstein <bright@wintelcom.net>
To: Gerald Pfeifer <pfeifer@dbai.tuwien.ac.at>
Cc: freebsd-security@FreeBSD.ORG, admin@dbai.tuwien.ac.at
Subject: Re: nfsd lacks support for tcp_wrapper
Message-ID: <20010130172618.Y26076@fw.wintelcom.net>
References: <Pine.BSF.4.32.0101302048060.89689-100000@taygeta.dbai.tuwien.ac.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.32.0101302048060.89689-100000@taygeta.dbai.tuwien.ac.at>; from pfeifer@dbai.tuwien.ac.at on Wed, Jan 31, 2001 at 02:10:19AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Gerald Pfeifer <pfeifer@dbai.tuwien.ac.at> [010130 17:10] wrote:
> Unless we completely missed something, nfsd does lack support for
> tcp_wrapper, doesn't it?
> 
> As NFS is a rather critical security-wize this seems like a big omission.
> 
> (Many sites, like ours, just cannot avoid using NFS, so it would be nice
> to be able to easily restrict the address range clients are allowed to
> connect from.)
> 
> Or are we just missing something?

Missing the fact that nfsd is an in-kernel process and therefore
pretty hard to link against libwrap.  Otherwise... i dunno, use
ipfw? :)

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message