>I just got a CERT advisory about NFS that talks about some fairly >obvious (once thought of) dangers of NFS. It advises: > >> A. Filter packets at your firewall/router. > >> B. Use a portmapper that disallows proxy access. > >> C. Check the configuration of the /etc/exports files on your hosts. >> In particular: > >> 1. Do *not* self-reference an NFS server in its own exports file. >> 2. Do not allow the exports file to contain a "localhost" entry. > >Anyone know why these are recommended? As far as I can see, if your >portmapper doesn't do proxy calls and/or you firewall out port 111, and >you don't care about local attacks, neither C.1 nor C.2 will buy you >anything further. Am I missing something, or are these bits of advice >simply there for people who don't do A and B? > > der Mouse I suspect you are correct; the standard hole uses proxy RPC calls, which appear to come from 127.0.0.1, so if you have localhost in your export files, or loopback mount filesystems to yourself, you can use a proxy call to get that root file handle. doing *either* (A and B) OR disallowing proxy calls will stop this. Best to do both anyway. Firewalling 111,2049 is fine, but having a second line of defense with the above makes sense. -phil This is all so *old* though; why a CERT warning *now*? Perhaps they waited until someones exploit program was being used too often? Piffle. I'll stop flaming now...