der Mouse wrote: > I just got a CERT advisory about NFS that talks about some fairly > obvious (once thought of) dangers of NFS. It advises: > > > A. Filter packets at your firewall/router. > > > B. Use a portmapper that disallows proxy access. > > > C. Check the configuration of the /etc/exports files on your hosts. > > In particular: > > > 1. Do *not* self-reference an NFS server in its own exports file. > > 2. Do not allow the exports file to contain a "localhost" entry. > > Anyone know why these are recommended? As far as I can see, if your > portmapper doesn't do proxy calls and/or you firewall out port 111, and > you don't care about local attacks, neither C.1 nor C.2 will buy you > anything further. Am I missing something, or are these bits of advice > simply there for people who don't do A and B? It depends how "soft and chewy" you want the inside of your firewall to be. You might try to keep the inside machines fairly tight so that *if* someone breaches the firewall, they'll still have trouble moving around. (This both tends to limit the damage done, and, by making them have to *do things* to each system they attack, makes it more likely that you'll notice their activities). >Bela<