|
Home > Archive > Unix administration > September 2006 > NFS/firewalls again
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
NFS/firewalls again
|
|
| Eric Behr 2006-09-06, 1:30 am |
| Every year or so I look around for the best ways of making NFS
play nice with firewalls. It's a subject beaten to death, but
without a clean solution.
A few years back I though I found one, in the form of webnfs
proposed by Sun, and I thought everyone will be jumping with
joy and giving thanks and implementing this solution which
requires one to just open up 2049 wherever needed and forget
the portmaper insanity.
But I see that webnfs is practically given up for dead, noone
is implementing it (outside Sun and FreeBSD). So the question
is: are there any other cross-platform solutions? I am not
after highly secure Kerberos-breathing and fairly hard to set
up niche protocol. I just want to restrict access to certain
fileserver hosts using simple and varied firewalls (ipf, pfil,
ipchains). I know that some implementations of lockd, statd and
friends allow one to force the use of certain ports, but this
varies from platform to platform and is highly nonstandard.
The requirement boils down to controlling (with a firewall)
access from a Linux/OS X/?BSD/Solaris NFS client to a Linux/
/OS X/?BSD/Solaris server. I know how to handle the Solaris
to Solaris case, but nothing else.
Also, if anyone knows why webnfs got such a cold shoulder in
the marketplace, I'm curious.
I'd be grateful for any advice, wisdom or war stories.
--
Eric Behr | NIU Mathematical Sciences | (815) 753 6727
behr@math.niu.edu | http://www.math.niu.edu/~behr/ | fax: 753 1112
| |
| Doug Freyburger 2006-09-06, 1:37 pm |
| Eric Behr wrote:
>
> Every year or so I look around for the best ways of making NFS
> play nice with firewalls.
I prefer unidirectional rsync from the inside copy to the outside copy.
Not what folks tend to want, but it does map more closely to what
they actually need. And yes, it does completely duck the issue of
running NFS through a firewall.
| |
| Eric Behr 2006-09-06, 7:50 pm |
| In article <1157566426.091141.262320@h48g2000cwc.googlegroups.com>,
Doug Freyburger <dfreybur@yahoo.com> wrote:
>Eric Behr wrote:
>
>I prefer unidirectional rsync from the inside copy to the outside copy.
>Not what folks tend to want, but it does map more closely to what
>they actually need. And yes, it does completely duck the issue of
>running NFS through a firewall.
Yes, I use that after a fashion in a few cases, but in my setup
it would be impractical to totally replace NFS with it. Thanks
for the input.
--
Eric Behr | NIU Mathematical Sciences | (815) 753 6727
behr@math.niu.edu | http://www.math.niu.edu/~behr/ | fax: 753 1112
| |
| tsar.peter@gmail.com 2006-09-12, 7:53 pm |
|
Eric Behr wrote:
> Every year or so I look around for the best ways of making NFS
> play nice with firewalls. It's a subject beaten to death, but
> without a clean solution.
>
> A few years back I though I found one, in the form of webnfs
> proposed by Sun, and I thought everyone will be jumping with
> joy and giving thanks and implementing this solution which
> requires one to just open up 2049 wherever needed and forget
> the portmaper insanity.
>
> But I see that webnfs is practically given up for dead, noone
> is implementing it (outside Sun and FreeBSD). So the question
> is: are there any other cross-platform solutions? I am not
> after highly secure Kerberos-breathing and fairly hard to set
> up niche protocol. I just want to restrict access to certain
> fileserver hosts using simple and varied firewalls (ipf, pfil,
> ipchains). I know that some implementations of lockd, statd and
> friends allow one to force the use of certain ports, but this
> varies from platform to platform and is highly nonstandard.
>
> The requirement boils down to controlling (with a firewall)
> access from a Linux/OS X/?BSD/Solaris NFS client to a Linux/
> /OS X/?BSD/Solaris server. I know how to handle the Solaris
> to Solaris case, but nothing else.
>
> Also, if anyone knows why webnfs got such a cold shoulder in
> the marketplace, I'm curious.
>
> I'd be grateful for any advice, wisdom or war stories.
>
> --
> Eric Behr | NIU Mathematical Sciences | (815) 753 6727
> behr@math.niu.edu | http://www.math.niu.edu/~behr/ | fax: 753 1112
sfs ( http://www.fs.net/sfswww/ ) might do this for you. All nfs
traffic is channeled
through one TCP port, server is authorized client user may be
authorized via
a number of methods)
| |
| Frank Cusack 2006-09-13, 1:31 am |
| On 6 Sep 2006 04:24:33 GMT behr@muir.math.niu.edu (Eric Behr) wrote:
> Every year or so I look around for the best ways of making NFS
> play nice with firewalls. It's a subject beaten to death, but
> without a clean solution.
The cleanest method is generally to use a VPN.
Or switch filesystems, say to AFS.
-frank
| |
| Eric Behr 2006-09-16, 1:43 pm |
| In article <1158096330.796497.75670@e3g2000cwe.googlegroups.com>,
<tsar.peter@gmail.com> wrote:
>
>Eric Behr wrote:
>
>sfs ( http://www.fs.net/sfswww/ ) might do this for you.
I haven't heard of that. Sounds interesting, I'll look. Thanks.
--
Eric Behr | NIU Mathematical Sciences | (815) 753 6727
behr@math.niu.edu | http://www.math.niu.edu/~behr/ | fax: 753 1112
|
|
|
|
|