CERT, about NFS

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Charlie Watt: "Re: OSF & SCO potential security problems"
• Previous message: Charles L. Athey III: "Re: Re: Re: Sun Patch Id #102060-01"
• Next in thread: John Hawkinson: "Re: CERT, about NFS"

I just got a CERT advisory about NFS that talks about some fairly
obvious (once thought of) dangers of NFS.  It advises:

>      A. Filter packets at your firewall/router.  

>      B. Use a portmapper that disallows proxy access.

>      C. Check the configuration of the /etc/exports files on your hosts.
>         In particular:

>          1. Do *not* self-reference an NFS server in its own exports file.
>          2. Do not allow the exports file to contain a "localhost" entry.

Anyone know why these are recommended?  As far as I can see, if your
portmapper doesn't do proxy calls and/or you firewall out port 111, and
you don't care about local attacks, neither C.1 nor C.2 will buy you
anything further.  Am I missing something, or are these bits of advice
simply there for people who don't do A and B?

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

• Next message: Charlie Watt: "Re: OSF & SCO potential security problems"
• Previous message: Charles L. Athey III: "Re: Re: Re: Sun Patch Id #102060-01"
• Next in thread: John Hawkinson: "Re: CERT, about NFS"