Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Solaris 10: Bind NFS server to specific interface

Posted on 2006-11-09
9
Medium Priority
?
2,832 Views
Last Modified: 2013-12-21
Does anyone know how to configure the Solaris 10 NFS server to listen on a specific interface? It listens on all interfaces by default and I can't find any options in the man pages to change this.

My server is dual homed, with one interface configured with an internet facing IP address, and the other on a local 10.x.x.x private network. Unfortunately NFS is listening on both interfaces, and I *really* only want it to listen on the local interface - there will not be any legitimate connections from the internet interface, which makes this a security risk.
The NFS man pages suggest this is not possible ... has anyone dealt with this before, or should I investigate using tcp wrappers on the NFS daemons?
0
Comment
Question by:shealey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 500 total points
ID: 17924932
You could also use IPFilter to make this happen.
0
 
LVL 6

Expert Comment

by:durindil
ID: 17950760
You can specify "access=" options for your NFS exports, and restrict it to hosts, subnets, or nis netgroups
0
 
LVL 1

Author Comment

by:shealey
ID: 17950995
Yes I know, the share access controls are fairly clearly described in the MAN pages.

Problem is, access controls on the shares doesn't stop people from breaking into the port(s) on which the daemons are listening on the internet-facing interface.

I also don't want to have to maintain firewall rules either just to solve a security issue with one service. I think I'm going to have to go with tcpwrappers.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 10

Expert Comment

by:Nukfror
ID: 17955316
Run bind in a sparse root zone which is using the specific interface (and an IP on the same network as that interface) you want.
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 17955321
Sorry !!! Never mind ... don't know how I got bind mixed into a NFS question .... LOL
0
 
LVL 1

Author Comment

by:shealey
ID: 17955506
Funny you should mention it though, because I am in the process of researching how to create a Solaris zone.

I realised the other day that I can run services in 'zones' or 'containers' (which are brand new in Solaris 10), so what I probably need to do to fulfill my requirement is create a new zone which contains only the local network interface and the relevent file system - then bind NFS (and probably MySQL as well) to the new zone (which I think is done through the new svcadm interface).
0
 
LVL 1

Author Comment

by:shealey
ID: 17955523
Question is, is it a good idea to use zones on a uniprocessor machine...?
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 17962468
Two answer your second question - sure, zones will work just dandy on a single process machine.

*BUT* you can't run NFS in a zone today.  NFS must be run in the Global zone :(  The NFS server requires some process rights that zones aren't currently allowed to have.  I believe there is a RFE out to address this.
0
 
LVL 1

Author Comment

by:shealey
ID: 18323134
After much consideration, I'm going to firewall the WAN facing interface. Its the only way to be sure.

I will try 'Sunscreen lite' which can be downloaded from sun.com for free, and it that is a nightmare to configure I'll revert to one of the tried and tested OSS firewalls such as pf or iptables as mentioned above.

Thanks for comments guys.

Sean.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question