Solaris 10: Bind NFS server to specific interface

Does anyone know how to configure the Solaris 10 NFS server to listen on a specific interface? It listens on all interfaces by default and I can't find any options in the man pages to change this.

My server is dual homed, with one interface configured with an internet facing IP address, and the other on a local 10.x.x.x private network. Unfortunately NFS is listening on both interfaces, and I *really* only want it to listen on the local interface - there will not be any legitimate connections from the internet interface, which makes this a security risk.
The NFS man pages suggest this is not possible ... has anyone dealt with this before, or should I investigate using tcp wrappers on the NFS daemons?
LVL 1
shealeyAsked:
Who is Participating?
 
NukfrorCommented:
You could also use IPFilter to make this happen.
0
 
durindilCommented:
You can specify "access=" options for your NFS exports, and restrict it to hosts, subnets, or nis netgroups
0
 
shealeyAuthor Commented:
Yes I know, the share access controls are fairly clearly described in the MAN pages.

Problem is, access controls on the shares doesn't stop people from breaking into the port(s) on which the daemons are listening on the internet-facing interface.

I also don't want to have to maintain firewall rules either just to solve a security issue with one service. I think I'm going to have to go with tcpwrappers.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
NukfrorCommented:
Run bind in a sparse root zone which is using the specific interface (and an IP on the same network as that interface) you want.
0
 
NukfrorCommented:
Sorry !!! Never mind ... don't know how I got bind mixed into a NFS question .... LOL
0
 
shealeyAuthor Commented:
Funny you should mention it though, because I am in the process of researching how to create a Solaris zone.

I realised the other day that I can run services in 'zones' or 'containers' (which are brand new in Solaris 10), so what I probably need to do to fulfill my requirement is create a new zone which contains only the local network interface and the relevent file system - then bind NFS (and probably MySQL as well) to the new zone (which I think is done through the new svcadm interface).
0
 
shealeyAuthor Commented:
Question is, is it a good idea to use zones on a uniprocessor machine...?
0
 
NukfrorCommented:
Two answer your second question - sure, zones will work just dandy on a single process machine.

*BUT* you can't run NFS in a zone today.  NFS must be run in the Global zone :(  The NFS server requires some process rights that zones aren't currently allowed to have.  I believe there is a RFE out to address this.
0
 
shealeyAuthor Commented:
After much consideration, I'm going to firewall the WAN facing interface. Its the only way to be sure.

I will try 'Sunscreen lite' which can be downloaded from sun.com for free, and it that is a nightmare to configure I'll revert to one of the tried and tested OSS firewalls such as pf or iptables as mentioned above.

Thanks for comments guys.

Sean.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.