[stunnel-users] NFS over stunnel

Brian Hatch bri at stunnel.org
Sun Nov 18 16:56:02 CET 2007


Near 2007-11-16 12:18 -0600, Andy Wettstein spake:

> I wrote a document about how I am running NFS over stunnel.  Using some
> firewall rules I was able to eliminate most of the complications for
> using secure NFS.  It could probably use more detailed explanations, but
> the scripts I am using are all there.

The server allows rw access to localhost.  Since stunnel will be showing
each incoming packet from localhost, this is the only IP you can use.

On the clients, you're listening on localhost (127.0.0.0/8 is all,
effectively, local.)  You cannot distinguish the official mounts on
the clients from any random user running their own daemons.

This means anyone on any client can access this NFS directory as
any user, since the NFS model is purely client based userid/groupid
security.

This is my first worry, but the rest of the writeup looks very detailed.

Not sure how well the server will handle multiple NFS mounts from the
same IP (localhost, no matter how many acutal clients.)

-- 
Brian Hatch                  He is no lawyer who
   Systems and                cannot take two sides.
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20071118/d1ca35fa/attachment.sig>


More information about the stunnel-users mailing list