Re: CERT, about NFS

[belal () sco COM (Bela Lubkin)]

der Mouse wrote:

> I just got a CERT advisory about NFS that talks about some fairly
> obvious (once thought of) dangers of NFS.  It advises:
>
> >      A. Filter packets at your firewall/router.  
>
> >      B. Use a portmapper that disallows proxy access.
>
> >      C. Check the configuration of the /etc/exports files on your hosts.
> >         In particular:
>
> >          1. Do *not* self-reference an NFS server in its own exports file.
> >          2. Do not allow the exports file to contain a "localhost" entry.
>
> Anyone know why these are recommended?  As far as I can see, if your
> portmapper doesn't do proxy calls and/or you firewall out port 111, and
> you don't care about local attacks, neither C.1 nor C.2 will buy you
> anything further.  Am I missing something, or are these bits of advice
> simply there for people who don't do A and B?

It depends how "soft and chewy" you want the inside of your firewall to
be.  You might try to keep the inside machines fairly tight so that *if*
someone breaches the firewall, they'll still have trouble moving around.
(This both tends to limit the damage done, and, by making them have to
*do things* to each system they attack, makes it more likely that you'll
notice their activities).

> Bela<