Near 2007-11-16 12:18 -0600, Andy Wettstein spake:
I wrote a document about how I am running NFS over stunnel. Using some firewall rules I was able to eliminate most of the complications for using secure NFS. It could probably use more detailed explanations, but the scripts I am using are all there.
The server allows rw access to localhost. Since stunnel will be showing each incoming packet from localhost, this is the only IP you can use.
On the clients, you're listening on localhost (127.0.0.0/8 is all, effectively, local.) You cannot distinguish the official mounts on the clients from any random user running their own daemons.
This means anyone on any client can access this NFS directory as any user, since the NFS model is purely client based userid/groupid security.
This is my first worry, but the rest of the writeup looks very detailed.
Not sure how well the server will handle multiple NFS mounts from the same IP (localhost, no matter how many acutal clients.)