[549] in bugtraq

home help back first fref pref prev next nref lref last post

CERT, about NFS

daemon@ATHENA.MIT.EDU (der Mouse)
Wed Dec 21 13:59:50 1994

Date: Wed, 21 Dec 1994 10:32:05 -0500
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
To: bugtraq@fc.net

I just got a CERT advisory about NFS that talks about some fairly
obvious (once thought of) dangers of NFS.  It advises:

>      A. Filter packets at your firewall/router.  

>      B. Use a portmapper that disallows proxy access.

>      C. Check the configuration of the /etc/exports files on your hosts.
>         In particular:

>          1. Do *not* self-reference an NFS server in its own exports file.
>          2. Do not allow the exports file to contain a "localhost" entry.

Anyone know why these are recommended?  As far as I can see, if your
portmapper doesn't do proxy calls and/or you firewall out port 111, and
you don't care about local attacks, neither C.1 nor C.2 will buy you
anything further.  Am I missing something, or are these bits of advice
simply there for people who don't do A and B?

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

home help back first fref pref prev next nref lref last post