Bugtraq mailing list archives
Re: CERT, about NFS
From: belal () sco COM (Bela Lubkin)
Date: Thu, 22 Dec 1994 05:56:50 -0800
der Mouse wrote:
I just got a CERT advisory about NFS that talks about some fairly obvious (once thought of) dangers of NFS. It advises:A. Filter packets at your firewall/router.B. Use a portmapper that disallows proxy access.C. Check the configuration of the /etc/exports files on your hosts. In particular:1. Do *not* self-reference an NFS server in its own exports file. 2. Do not allow the exports file to contain a "localhost" entry.Anyone know why these are recommended? As far as I can see, if your portmapper doesn't do proxy calls and/or you firewall out port 111, and you don't care about local attacks, neither C.1 nor C.2 will buy you anything further. Am I missing something, or are these bits of advice simply there for people who don't do A and B?
It depends how "soft and chewy" you want the inside of your firewall to be. You might try to keep the inside machines fairly tight so that *if* someone breaches the firewall, they'll still have trouble moving around. (This both tends to limit the damage done, and, by making them have to *do things* to each system they attack, makes it more likely that you'll notice their activities).
Bela<
Current thread:
- Re: CERT, about NFS, (continued)
- Re: CERT, about NFS Jim Duncan (Dec 21)
- Re: CERT, about NFS Scott Schwartz (Dec 21)
- Bugtraq reorganization notes Kevin at Freeside Support (Dec 21)
- Re: CERT, about NFS Leo Bicknell (Dec 22)
- Re: CERT, about NFS Oliver Friedrichs (Dec 22)
- (fwd) HP-UX 9.x: /usr/lib/expreserve creates files anywhere (fwd) Paul 'Shag' Walmsley (Dec 22)
- Re: CERT, about NFS Chris Ellwood (Dec 22)
- Re: CERT, about NFS Paul 'Shag' Walmsley (Dec 22)
- Re: CERT, about NFS Dave Mitchell (Dec 22)
- Re: CERT, about NFS Steinar Haug (Dec 22)
- Re: CERT, about NFS Bela Lubkin (Dec 22)
- Re: CERT, about NFS der Mouse (Dec 22)
- Re: CERT, about NFS Scott Schwartz (Dec 22)
- Re: CERT, about NFS phil servita (Dec 22)
- Re: CERT, about NFS Jim Duncan (Dec 21)