From owner-freebsd-questions@FreeBSD.ORG Sun Jul 4 01:12:57 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2096416A4CE for ; Sun, 4 Jul 2004 01:12:57 +0000 (GMT) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 957D543D5D for ; Sun, 4 Jul 2004 01:12:56 +0000 (GMT) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (localhost [127.0.0.1]) by fw.farid-hajji.net (Postfix) with ESMTP id AB4694AC36; Sun, 4 Jul 2004 03:12:13 +0200 (CEST) From: cpghost To: gpeel@thenetnow.com In-reply-to: <002301c46153$9302a360$6601a8c0@grant> (gpeel@thenetnow.com) X-Mailer: Emacs-21.3.1/FreeBSD-5.2.1-RELEASE References: <00ba01c460fe$d9cae910$6601a8c0@grant> <40E6FBF2.1060201@mac.com> <002301c46153$9302a360$6601a8c0@grant> Message-Id: <20040704011213.AB4694AC36@fw.farid-hajji.net> Date: Sun, 4 Jul 2004 03:12:13 +0200 (CEST) cc: freebsd-questions@freebsd.org Subject: Re: NFS and Backups X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cpghost@cordula.ws List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2004 01:12:57 -0000 > > > I have recently decided to use some extra disk space on one of my > servers as > > > backup space. I have NFS client and Servers running OK, but was > wondering how > > > secure it really is. > > > > NFS is not secure at all. If you don't trust the local subnet, don't use > NFS > > there. Certainly don't use NFS across the Internet, unless using a secure > > tunnelling/VPN protocol.... > > So, If I set the exports so that it used 192.168.x.x, and, my managed switch > is only set to alow members of my vlan to use those IPs, I should be OK in > that case? Careful here! If you have a WLAN access point hooked to your switch, you're still vulnerable to war driving. Even if you don't use wireless LAN, you still have to be sure that the client can't be replaced with a rogue machine without you immediately knowing it (it happens in real life more frequently than you think, esp. in big offices with lots of computers). If you could avoid NFS for backups, then by all means, you should try. As said, building reliable backup/restore as well as ad hoc file swapping schemes on top of scp and ssh is a tried and quite secure method. -- Cordula's Web. http://www.cordula.ws/