Allowing NFS to machines based on MAC (?)

To: debian-user@lists.debian.org
Subject: Allowing NFS to machines based on MAC (?)
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Fri, 11 Oct 2002 23:33:34 +0200
Message-id: <[🔎] 200210112333.34939.kjetil@kjernsmo.net>

Hi folks!

Short version of the question:
How can I use the MAC address of certain machines to allow only those machines 
to mount NFS exports using IPTables?

The long version (motivated by a doubt that what I'm doing is clever):
I'm setting up a Woody box for my parents, and especially my mother is doing a 
fair amount of web editing (she's using Amaya for editing). For a couple of 
years, they've been using an FTP client to upload web pages to a server and 
they are quite content. But I'm not, and I've told them: "this is going to be 
so much more smooth when you start running Linux!" :-)

Now, I have a box, also running Debian, and that's the web server now. It's in 
serverhosting, and I control it completely. My parents connect to the net 
using ADSL, and there are currently to machines connecting through a router 
running Coyote. The IP they're getting seems to be from either of two Class 
B's, but it is static once they're connected. Obviously, my server and their 
workstations are on two different networks (not even the same ISP).

First of all, they shouldn't need to relate to the concept of "local version 
of the page" and "remote (web) version of the page". I usually don't, because 
I'm using Emacs with TRAMP. However, I'd like to take it a step further, so 
that the web-pages appear in their local file system.

I've looked at different ways to do this. First, Amaya has fairly good support 
for HTTP PUT, so I think my mother would be quite happy with that. But that 
doesn't really make it a part of the local file system. Then, there's WebDAV. 
I think WebDAV is going to be great for the future, and there are filesystems 
davfs and kiwi, but it seems they are not mature enough. I've heard some bad 
things about them, but I'm willing to listen to good experiences too! :-)

NFS is generally scary, but I have pretty much come to the conclusion that it 
is the best choice, unless somebody screams here... :-) And _if_ this is 
feasible: I have recorded the MAC addresses of all the ethernet cards on all 
the boxes I have. Then, I thought about modifying the IPTables-based firewall 
I have on my server so that these workstations can mount the NFS exports, but 
drop packets from all other hosts. So, then we're back to the short question 
again: How do I do that? 

Or is this just a Very Bad Idea[tm]? I would be glad for all comments and 
suggestions. I am also aware that MACs can be spoofed, but perhaps it 
provides sufficient security anyway. After all, there's only public web 
pages, so as long as they're not compromising my box, there's nothing there I 
wouldn't want people to poke at, and it is not very likely anybody would want 
to deface it.

Cheers,

Kjetil

Reply to:

Follow-Ups:
- Re: Allowing NFS to machines based on MAC (?)
  - From: "nate" <debian-user@aphroland.org>
- Re: Allowing NFS to machines based on MAC (?)
  - From: "Miquel van Smoorenburg" <miquels@cistron.nl>

Prev by Date: RE: xmms doesn't work
Next by Date: Re: printer
Previous by thread: Installing debian with HPT370 IDE raid
Next by thread: Re: Allowing NFS to machines based on MAC (?)
Index(es):
- Date
- Thread