[561] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Bela Lubkin)
Thu Dec 22 12:00:37 1994
From: Bela Lubkin <belal@sco.COM>
Date: Thu, 22 Dec 1994 05:56:50 -0800
To: bugtraq@fc.net
der Mouse wrote:
> I just got a CERT advisory about NFS that talks about some fairly
> obvious (once thought of) dangers of NFS. It advises:
>
> > A. Filter packets at your firewall/router.
>
> > B. Use a portmapper that disallows proxy access.
>
> > C. Check the configuration of the /etc/exports files on your hosts.
> > In particular:
>
> > 1. Do *not* self-reference an NFS server in its own exports file.
> > 2. Do not allow the exports file to contain a "localhost" entry.
>
> Anyone know why these are recommended? As far as I can see, if your
> portmapper doesn't do proxy calls and/or you firewall out port 111, and
> you don't care about local attacks, neither C.1 nor C.2 will buy you
> anything further. Am I missing something, or are these bits of advice
> simply there for people who don't do A and B?
It depends how "soft and chewy" you want the inside of your firewall to
be. You might try to keep the inside machines fairly tight so that *if*
someone breaches the firewall, they'll still have trouble moving around.
(This both tends to limit the damage done, and, by making them have to
*do things* to each system they attack, makes it more likely that you'll
notice their activities).
>Bela<
