Re: IPMasqing NFS
On Thu, May 10, 2001 at 11:44:14AM -0700, Chris Majewski wrote:
> Mike Fedyk <mfedyk@matchmail.com> writes:
> > Until you know how to use these tools, you shouldn't even try to do this:
> >
> > lsof
> > netstat
> > tcpdump
>
> Sure.
>
> > nfs protocol and security considerations.
>
> NFS is insecure. My assumption is that by NFS-mounting, at work, stuff which
> lives on my home machine, it is only my *home* machine which
> becomes vulnerable, not my work machine. Please let me know if you disagree
> with this assumption.
>
I agree, mounting from work to home will desecure your home network. If you
start trusting any scripts on home comp from work, you'll have the
possibility of compromising work because of home comp.
> > You are holding open a big guarage door that's screaming "HACK ME! I WANT TO GIVE
> > ALL OF MY FILES AWAY, AND HAVE YOU DELETE THEM AFTERWARDS!"
> >
> > You realize that nfs is worse than using telnet(over the internet), right?
> >
> > > > Remember with nfs:
> > > >
> > > > Anyone can act as any of your users! I would setup a IPsec tunnel for this
> > > > myself if I did this at all.
>
> Yeah well the only thing worth fearing is fear itself, etc. My home
> machine is backed up regularly, if somebody *really* wants to delete all
> my files, they have my blessing. On the other hand, I have a
> responsibility to protect my work network (or at least not open gaping
> holes in it).
>
Ok, ask for it. If that's what you want, great.
> > > What's an IPsec tunnel and how do I set one up?
> > >
> >
> > www.freeswan.org
> >
> > You need to know how to compile your own kernel, use tcpdump, and debug
> > network issues. You can get help from the freeswan guys, but you should
> > pick up a networking book and read it NOW.
> >
> > Post more about what you really want to achieve, and maybe we can help you
> > pick another solution that is more secure.
>
> I'm at work, I would like to mount home_machine:/var/mp3, so I can
> listen to my mp3's. Not a lofty goal, but would be nice pull off at
> least as proof of principle. If I can do it without compromising the
> security of my home machine, great; if not, that's fine too. If I
> can't do it without compromising the security of my work network,
> that's a showstopper.
>
> -chris
You can export nfs from home as read-only and that may work ok. I can't
give you an exact port number because I haven't tried this myself, and I
believe nfsd's port changes.
run netstat and grep for udp listening sockets, on your nfs server.
OTOH, you will gain much more than just nfs if you setup a VPN.
Mike
Reply to: