Hi,
I wrote a document about how I am running NFS over stunnel. Using some firewall rules I was able to eliminate most of the complications for using secure NFS. It could probably use more detailed explanations, but the scripts I am using are all there.
It still kind of in test phase, but I am currently mounting my home directory using stunnel. I haven't really noticed much of a speed problem in day to day activities.
https://w3.physics.uiuc.edu/physwiki/doku.php?id=pcs:unix:nfs_over_stunnel
Please send any questions you might have.
Near 2007-11-16 12:18 -0600, Andy Wettstein spake:
I wrote a document about how I am running NFS over stunnel. Using some firewall rules I was able to eliminate most of the complications for using secure NFS. It could probably use more detailed explanations, but the scripts I am using are all there.
The server allows rw access to localhost. Since stunnel will be showing each incoming packet from localhost, this is the only IP you can use.
On the clients, you're listening on localhost (127.0.0.0/8 is all, effectively, local.) You cannot distinguish the official mounts on the clients from any random user running their own daemons.
This means anyone on any client can access this NFS directory as any user, since the NFS model is purely client based userid/groupid security.
This is my first worry, but the rest of the writeup looks very detailed.
Not sure how well the server will handle multiple NFS mounts from the same IP (localhost, no matter how many acutal clients.)
On Sun, Nov 18, 2007 at 07:56:02AM -0800, Brian Hatch wrote:
Near 2007-11-16 12:18 -0600, Andy Wettstein spake:
I wrote a document about how I am running NFS over stunnel. Using some firewall rules I was able to eliminate most of the complications for using secure NFS. It could probably use more detailed explanations, but the scripts I am using are all there.
The server allows rw access to localhost. Since stunnel will be showing each incoming packet from localhost, this is the only IP you can use.
That's the desired affect right?
On the clients, you're listening on localhost (127.0.0.0/8 is all, effectively, local.) You cannot distinguish the official mounts on the clients from any random user running their own daemons.
This means anyone on any client can access this NFS directory as any user, since the NFS model is purely client based userid/groupid security.
This is my first worry, but the rest of the writeup looks very detailed.
Did you see those scripts create firewall rules to handle this? On the client, the script does this for each tunneled port: iptables -t filter -A $chain -p tcp -d $securehost --dport $tport --match owner ! --uid-owner root -j DROP
Where $securehost is the address on 127.0.0.0/8.
The iptables output, f.e., looks like this: DROP tcp -- 0.0.0.0/0 127.0.4.1 tcp dpt:1041 ! OWNER UID match 0
On the server this is done for each port: iptables -t filter -A $chain -p tcp -d localhost --dport $tport --match owner ! --uid-owner $stunneluser -j DROP
The iptables output (the nfstunnel user has UID 113): DROP tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:1041 ! OWNER UID match 113
With these rules enabled, I don't believe it is possible for a user to use either a rogue NFS client directly on either the client or server machine or retunnel those ports to another machine.
Do you think those rules aren't doing what I expect? Maybe I should put a little more explanation about this on that page.
Not sure how well the server will handle multiple NFS mounts from the same IP (localhost, no matter how many acutal clients.)
Yes, I'll see. I have several hundred machines that mount my home directory. So far I haven't seen anything abnormal at least with a linux nfs server.
Andy
-
Andy Wettstein -
Brian Hatch