[geeks] An NFS conundrum
Mike Meredith
very at zonky.org
Mon Feb 19 02:28:30 CST 2007
On Sun, 18 Feb 2007 22:29:53 -0500, Phil Stracchino wrote:
> share -F nfs -o
> root=@10.24.32.0/24,rw=@10.24.32.0/24,ro=@10.24.33.0/24 -d
> "exports" /export
>
> minbar:/export /minbar nfs
> rw,rsize=8192,wsize=8192,soft,suid 0 0
Well, trying to mount it rw when it's exported ro isn't going to help.
I wouldn't have thought it would give an i/o error for an ls though,
but that may be worth fixing. Incidentally if you're going to specify
the NFS blocksize, I'd benchmark it carefully; Linux can do better than
8Kbytes these days, and it's definitely a suboptimal block size.
> pass log quick on $if_internal from ($if_backbone) to ($if_wireless)
> pass log quick on $if_internal from ($if_wireless) to ($if_backbone)
That looks like you're logging the traffic; so what traffic are you
getting ?
> (These rules are here just while I'm debugging this problem. Once I
> have it solved, access to 10.24.32.0/24 from hosts on 10.24.33.0 will
> be restricted much as is access from the outside world, which is to
> say that only trusted hosts on 10.24.33.0/24 can access all hosts on
> 10.24.32.0/24.)
You can trust any host on a network segment only as much as the least
trustworthy host on that network segment. Sorry I'm letting my security
fascist tendencies show :)
--
Mike Meredith (http://zonky.org/)
The trouble with a sigmonster is that it takes at least 10 attempts to
start writing a reply.
--me
More information about the geeks
mailing list