Bugtraq mailing list archives

CERT, about NFS

From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Wed, 21 Dec 1994 10:32:05 -0500


I just got a CERT advisory about NFS that talks about some fairly
obvious (once thought of) dangers of NFS.  It advises:

     A. Filter packets at your firewall/router.

     B. Use a portmapper that disallows proxy access.

     C. Check the configuration of the /etc/exports files on your hosts.
        In particular:

         1. Do *not* self-reference an NFS server in its own exports file.
         2. Do not allow the exports file to contain a "localhost" entry.


Anyone know why these are recommended?  As far as I can see, if your
portmapper doesn't do proxy calls and/or you firewall out port 111, and
you don't care about local attacks, neither C.1 nor C.2 will buy you
anything further.  Am I missing something, or are these bits of advice
simply there for people who don't do A and B?

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

CERT, about NFS der Mouse (Dec 21)
- Re: CERT, about NFS John Hawkinson (Dec 21)
- Re: CERT, about NFS Jim Duncan (Dec 21)
  - Re: CERT, about NFS Scott Schwartz (Dec 21)
- Bugtraq reorganization notes Kevin at Freeside Support (Dec 21)
- Re: CERT, about NFS Leo Bicknell (Dec 22)
  - Re: CERT, about NFS Oliver Friedrichs (Dec 22)
  - (fwd) HP-UX 9.x: /usr/lib/expreserve creates files anywhere (fwd) Paul 'Shag' Walmsley (Dec 22)
  - Re: CERT, about NFS Chris Ellwood (Dec 22)
    - Re: CERT, about NFS Paul 'Shag' Walmsley (Dec 22)
- <Possible follow-ups>
- Re: CERT, about NFS Dave Mitchell (Dec 22)

(Thread continues...)