Re: [stunnel-users] NFS over stunnel
This is a discussion on Re: [stunnel-users] NFS over stunnel within the Stunnel Users forums, part of the Networking and Network Related category; --===============1305985592== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xB0nW4MQa6jZONgY" Content-Disposition: ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-18-2007
|
|||
|
|||
Re: [stunnel-users] NFS over stunnel
--===============1305985592== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xB0nW4MQa6jZONgY" Content-Disposition: inline --xB0nW4MQa6jZONgY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Near 2007-11-16 12:18 -0600, Andy Wettstein spake: > I wrote a document about how I am running NFS over stunnel. Using some > firewall rules I was able to eliminate most of the complications for > using secure NFS. It could probably use more detailed explanations, but > the scripts I am using are all there. The server allows rw access to localhost. Since stunnel will be showing each incoming packet from localhost, this is the only IP you can use. On the clients, you're listening on localhost (127.0.0.0/8 is all, effectively, local.) You cannot distinguish the official mounts on the clients from any random user running their own daemons. This means anyone on any client can access this NFS directory as any user, since the NFS model is purely client based userid/groupid security. This is my first worry, but the rest of the writeup looks very detailed. Not sure how well the server will handle multiple NFS mounts from the same IP (localhost, no matter how many acutal clients.) --=20 Brian Hatch He is no lawyer who Systems and cannot take two sides. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed --xB0nW4MQa6jZONgY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFHQGCRVkMj8/ymYEsRAr/LAJ94fpal1kfP48FrZJeIgHcn3YnILACfUZ9j sXD1jlu3Em4Ki/650Y7r6gw= =7EnI -----END PGP SIGNATURE----- --xB0nW4MQa6jZONgY-- --===============1305985592== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users --===============1305985592==-- 
|
Linear Mode
