[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NFS mounts: security hole on firewall?

On Sat, Feb 17, 2001 at 11:53:16AM -0600, Robert Guthrie wrote:
> I know this is probably a stupid question, but I'm trying to be paranoid and 
> leave nothing to chance.  If I'm NOT running an nfs server of any kind on my 
> firewall, but I am mounting an nfs share from my private network to my 
> firewall, am I opening myself up to any big security risks?  I plan to lock 
> down all incomming port connections below 1024, except for sshd's port.

Execpt from the scenarious you have forbidden to talk about, I don't see any 
security problems. However, there are other problems posible. For instance when your server goes down, problems with file locking, unaccessable files, etc, are posible. It would not recommend it.

> I want to be able to parse /var/log and display annomolies in an 
> internal-only web-page, and I thought it'd be safer & faster if I did it on 
> my server (dual celeron), rather than my firewall (486).

You won't need nfs for this. Syslog is able to send log events directly 
to your server. I think this a much better solution.

The log events of the firewall will be, however, stored in the same files as the 
server. e.g. /var/log/auth.log will contain both the events of firewall and server.Your parsing script should handle that.

Add lines like this to firewall:/etc/syslog.conf

auth,authpriv.*        @server

See syslog documentation for details.

An other option is uploading 

> You don't have to qualify your answers with any of the following scenearios:
> o Firewall is compromised from other security hole.
> o Weird networking/kernel bug not related to nfs directly
> o Acts of root ("God, root; what is difference?")
> o Local security problems.  I can trust my wife not hack from within our 
> house ;-)
Good point. Exceptional situations should be avoided while explaining.

Arjen Krap

Reply to: