Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: None <tls@rek.tjls.com>
From: Byron Servies <bservies@pacang.com>
List: tech-net
Date: 10/09/2006 18:07:23
On Oct 9, 2006, at 5:53 PM, Thor Lancelot Simon wrote:

> On Mon, Oct 09, 2006 at 08:37:44PM -0400, Steven M. Bellovin wrote:
>>
>> The first is to incorporate access control semantics into  
>> rpcbind.  It's
>> not a horrible solution, in that it provides some protection against
>> attackers who first query rpcbind to find out what port numbers to
>> attack.
>
> I've already said something analogous in private email, but I'll share
> it, I suppose, with the list.
>
> I do not think that "access control" semantics in particular  
> applications
> are quite what is wanted, here, if you mean "access control by  
> address of
> requesting party" which is what most people, I think, would assume you
> mean.
>
> What you want, as far as I can tell, is access control at the  
> granularity
> merely of "reachability from directly-connected network N".   
> Assuring that
> unauthorized parties have no connectivity to N is a problem you're  
> willing
> to place out of scope for your present effort.  Firewalls (including
> IP-layer filtering on the local host) can give you this, but  
> configuring
> them for protocols that use dynamic port addressing can be a real  
> nuisance.

I freely admit I am out of my depth, but wasn't NFSv4 designed to  
solve a lot of these long-standing NFS problems?

http://www.ietf.org/rfc/rfc3530.txt

Byron