Re: IPMasqing NFS
Mike Fedyk <mfedyk@matchmail.com> writes:
> Until you know how to use these tools, you shouldn't even try to do this:
>
> lsof
> netstat
> tcpdump
Sure.
> nfs protocol and security considerations.
NFS is insecure. My assumption is that by NFS-mounting, at work, stuff which
lives on my home machine, it is only my *home* machine which
becomes vulnerable, not my work machine. Please let me know if you disagree
with this assumption.
> You are holding open a big guarage door that's screaming "HACK ME! I WANT TO GIVE
> ALL OF MY FILES AWAY, AND HAVE YOU DELETE THEM AFTERWARDS!"
>
> You realize that nfs is worse than using telnet(over the internet), right?
>
> > > Remember with nfs:
> > >
> > > Anyone can act as any of your users! I would setup a IPsec tunnel for this
> > > myself if I did this at all.
Yeah well the only thing worth fearing is fear itself, etc. My home
machine is backed up regularly, if somebody *really* wants to delete all
my files, they have my blessing. On the other hand, I have a
responsibility to protect my work network (or at least not open gaping
holes in it).
> > What's an IPsec tunnel and how do I set one up?
> >
>
> www.freeswan.org
>
> You need to know how to compile your own kernel, use tcpdump, and debug
> network issues. You can get help from the freeswan guys, but you should
> pick up a networking book and read it NOW.
>
> Post more about what you really want to achieve, and maybe we can help you
> pick another solution that is more secure.
I'm at work, I would like to mount home_machine:/var/mp3, so I can
listen to my mp3's. Not a lofty goal, but would be nice pull off at
least as proof of principle. If I can do it without compromising the
security of my home machine, great; if not, that's fine too. If I
can't do it without compromising the security of my work network,
that's a showstopper.
-chris
Reply to: