Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Solaris 10: Bind NFS server to specific interface

Posted on 2006-11-09
9
2,684 Views
Last Modified: 2013-12-21
Does anyone know how to configure the Solaris 10 NFS server to listen on a specific interface? It listens on all interfaces by default and I can't find any options in the man pages to change this.

My server is dual homed, with one interface configured with an internet facing IP address, and the other on a local 10.x.x.x private network. Unfortunately NFS is listening on both interfaces, and I *really* only want it to listen on the local interface - there will not be any legitimate connections from the internet interface, which makes this a security risk.
The NFS man pages suggest this is not possible ... has anyone dealt with this before, or should I investigate using tcp wrappers on the NFS daemons?
0
Comment
Question by:shealey
  • 4
  • 4
9 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 250 total points
ID: 17924932
You could also use IPFilter to make this happen.
0
 
LVL 6

Expert Comment

by:durindil
ID: 17950760
You can specify "access=" options for your NFS exports, and restrict it to hosts, subnets, or nis netgroups
0
 
LVL 1

Author Comment

by:shealey
ID: 17950995
Yes I know, the share access controls are fairly clearly described in the MAN pages.

Problem is, access controls on the shares doesn't stop people from breaking into the port(s) on which the daemons are listening on the internet-facing interface.

I also don't want to have to maintain firewall rules either just to solve a security issue with one service. I think I'm going to have to go with tcpwrappers.
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 10

Expert Comment

by:Nukfror
ID: 17955316
Run bind in a sparse root zone which is using the specific interface (and an IP on the same network as that interface) you want.
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 17955321
Sorry !!! Never mind ... don't know how I got bind mixed into a NFS question .... LOL
0
 
LVL 1

Author Comment

by:shealey
ID: 17955506
Funny you should mention it though, because I am in the process of researching how to create a Solaris zone.

I realised the other day that I can run services in 'zones' or 'containers' (which are brand new in Solaris 10), so what I probably need to do to fulfill my requirement is create a new zone which contains only the local network interface and the relevent file system - then bind NFS (and probably MySQL as well) to the new zone (which I think is done through the new svcadm interface).
0
 
LVL 1

Author Comment

by:shealey
ID: 17955523
Question is, is it a good idea to use zones on a uniprocessor machine...?
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 17962468
Two answer your second question - sure, zones will work just dandy on a single process machine.

*BUT* you can't run NFS in a zone today.  NFS must be run in the Global zone :(  The NFS server requires some process rights that zones aren't currently allowed to have.  I believe there is a RFE out to address this.
0
 
LVL 1

Author Comment

by:shealey
ID: 18323134
After much consideration, I'm going to firewall the WAN facing interface. Its the only way to be sure.

I will try 'Sunscreen lite' which can be downloaded from sun.com for free, and it that is a nightmare to configure I'll revert to one of the tried and tested OSS firewalls such as pf or iptables as mentioned above.

Thanks for comments guys.

Sean.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSH commands for Nas4free 21 459
Parsing a file using ksh 10 70
Doing a DR (Disaster Recovery) Test on Red Hat Linux Servers. 2 127
UNIX Script. Send email if failure 8 30
In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question