Solved

Solaris 10: Bind NFS server to specific interface

Posted on 2006-11-09
9
2,658 Views
Last Modified: 2013-12-21
Does anyone know how to configure the Solaris 10 NFS server to listen on a specific interface? It listens on all interfaces by default and I can't find any options in the man pages to change this.

My server is dual homed, with one interface configured with an internet facing IP address, and the other on a local 10.x.x.x private network. Unfortunately NFS is listening on both interfaces, and I *really* only want it to listen on the local interface - there will not be any legitimate connections from the internet interface, which makes this a security risk.
The NFS man pages suggest this is not possible ... has anyone dealt with this before, or should I investigate using tcp wrappers on the NFS daemons?
0
Comment
Question by:shealey
  • 4
  • 4
9 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 250 total points
ID: 17924932
You could also use IPFilter to make this happen.
0
 
LVL 6

Expert Comment

by:durindil
ID: 17950760
You can specify "access=" options for your NFS exports, and restrict it to hosts, subnets, or nis netgroups
0
 
LVL 1

Author Comment

by:shealey
ID: 17950995
Yes I know, the share access controls are fairly clearly described in the MAN pages.

Problem is, access controls on the shares doesn't stop people from breaking into the port(s) on which the daemons are listening on the internet-facing interface.

I also don't want to have to maintain firewall rules either just to solve a security issue with one service. I think I'm going to have to go with tcpwrappers.
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 17955316
Run bind in a sparse root zone which is using the specific interface (and an IP on the same network as that interface) you want.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 10

Expert Comment

by:Nukfror
ID: 17955321
Sorry !!! Never mind ... don't know how I got bind mixed into a NFS question .... LOL
0
 
LVL 1

Author Comment

by:shealey
ID: 17955506
Funny you should mention it though, because I am in the process of researching how to create a Solaris zone.

I realised the other day that I can run services in 'zones' or 'containers' (which are brand new in Solaris 10), so what I probably need to do to fulfill my requirement is create a new zone which contains only the local network interface and the relevent file system - then bind NFS (and probably MySQL as well) to the new zone (which I think is done through the new svcadm interface).
0
 
LVL 1

Author Comment

by:shealey
ID: 17955523
Question is, is it a good idea to use zones on a uniprocessor machine...?
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 17962468
Two answer your second question - sure, zones will work just dandy on a single process machine.

*BUT* you can't run NFS in a zone today.  NFS must be run in the Global zone :(  The NFS server requires some process rights that zones aren't currently allowed to have.  I believe there is a RFE out to address this.
0
 
LVL 1

Author Comment

by:shealey
ID: 18323134
After much consideration, I'm going to firewall the WAN facing interface. Its the only way to be sure.

I will try 'Sunscreen lite' which can be downloaded from sun.com for free, and it that is a nightmare to configure I'll revert to one of the tried and tested OSS firewalls such as pf or iptables as mentioned above.

Thanks for comments guys.

Sean.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now