Re: IPMasqing NFS

To: "Debian user list \(undigested\)" <debian-user@lists.debian.org>
Subject: Re: IPMasqing NFS
From: Mike Fedyk <mfedyk@matchmail.com>
Date: Thu, 10 May 2001 17:09:47 -0700
Message-id: <[🔎] 20010510170947.H26262@mikef-linux.matchmail.com>
Mail-followup-to: Mike Fedyk <mfedyk@matchmail.com>, "Debian user list (undigested)" <debian-user@lists.debian.org>
In-reply-to: <[🔎] ymh1ypxjb7l.fsf@cs.ubc.ca>; from majewski@cs.ubc.ca on Thu, May 10, 2001 at 11:44:14AM -0700
References: <[🔎] Pine.LNX.4.21.0105082046490.32500-100000@mi.krzys.com> <[🔎] 20010508222429.A16826@mikef-linux.matchmail.com> <[🔎] ymhk83q2pmh.fsf@cs.ubc.ca> <[🔎] 20010509182021.A29068@mikef-linux.matchmail.com> <[🔎] ymh1ypxjb7l.fsf@cs.ubc.ca>

On Thu, May 10, 2001 at 11:44:14AM -0700, Chris Majewski wrote:
> Mike Fedyk <mfedyk@matchmail.com> writes:
> > Until you know how to use these tools, you shouldn't even try to do this:
> > 
> > lsof
> > netstat
> > tcpdump
> 
> Sure.
> 
> > nfs protocol and security considerations. 
> 
> NFS is insecure.  My assumption is that by NFS-mounting, at work, stuff which
> lives on my home machine,  it is only my *home* machine which
> becomes vulnerable, not my work machine. Please let me know if you disagree
> with this assumption. 
>

I agree, mounting from work to home will desecure your home network.  If you
start trusting any scripts on home comp from work, you'll have the
possibility of compromising work because of home comp.

> > You are holding open a big guarage door that's screaming "HACK ME! I WANT TO GIVE
> > ALL OF MY FILES AWAY, AND HAVE YOU DELETE THEM AFTERWARDS!"
> > 
> > You realize that nfs is worse than using telnet(over the internet), right?
> > 
> > > > Remember with nfs:
> > > > 
> > > > Anyone can act as any of your users!  I would setup a IPsec tunnel for this
> > > > myself if I did this at all. 
> 
> Yeah well the  only thing worth fearing is fear  itself, etc.  My home
> machine is backed up regularly, if somebody *really* wants to delete all
> my  files,  they  have  my  blessing.  On the  other  hand,  I  have  a
> responsibility to protect my work network (or at least not open gaping
> holes in it). 
> 

Ok, ask for it.  If that's what you want, great.

> > > What's an IPsec tunnel and how do I set one up? 
> > >
> > 
> > www.freeswan.org
> > 
> > You need to know how to compile your own kernel, use tcpdump, and debug
> > network issues.  You can get help from the freeswan guys, but you should
> > pick up a networking book and read it NOW.
> > 
> > Post more about what you really want to achieve, and maybe we can help you
> > pick another solution that is more secure.
> 
> I'm at  work, I  would like to  mount home_machine:/var/mp3, so  I can
> listen to my mp3's. Not a lofty goal, but would be nice pull off at
> least as proof  of principle. If I can do  it without compromising the
> security of  my home  machine, great;  if not, that's  fine too.  If I
> can't  do it  without compromising  the security  of my  work network,
> that's a showstopper. 
> 
> -chris
You can export nfs from home as read-only and that may work ok.  I can't
give you an exact port number because I haven't tried this myself, and I
believe nfsd's port changes.

run netstat and grep for udp listening sockets, on your nfs server.

OTOH, you will gain much more than just nfs if you setup a VPN.

Mike

Reply to:

Follow-Ups:
- Re: IPMasqing NFS
  - From: Chris Majewski <majewski@cs.ubc.ca>

References:
- IPMasqing NFS
  - From: Krzys Majewski <majewski@cs.ubc.ca>
- Re: IPMasqing NFS
  - From: Mike Fedyk <mfedyk@matchmail.com>
- Re: IPMasqing NFS
  - From: Chris Majewski <majewski@cs.ubc.ca>
- Re: IPMasqing NFS
  - From: Mike Fedyk <mfedyk@matchmail.com>
- Re: IPMasqing NFS
  - From: Chris Majewski <majewski@cs.ubc.ca>

Prev by Date: Re: (mutt) move old messages, but what to do when none are found?
Next by Date: Re: Debian Package for Samba 2.2.0
Previous by thread: Re: IPMasqing NFS
Next by thread: Re: IPMasqing NFS
Index(es):
- Date
- Thread