ZFS filesystem: export for more than one subnet
Jeremy Chadwick
koitsu at FreeBSD.org
Sun Sep 7 23:36:40 UTC 2008
On Mon, Sep 08, 2008 at 02:43:03AM +0400, Dmitry Morozovsky wrote:
> On Sun, 7 Sep 2008, Jeremy Chadwick wrote:
>
> JC> > is there any way so one can export ZFS file system to more than one net?
> JC> >
> JC> > in classic NFS I would use more than one line in /etc/exports -- how can I
> JC> > express such behaviour in zfs properties?
> JC>
> JC> Didn't you inadvertently ask this same question 6 months ago? :-)
> JC>
> JC> http://lists.freebsd.org/pipermail/freebsd-current/2008-March/084079.html
>
> Well, not exactly - that time I did not bump into different destination problem
> ;)
>
> JC> I believe if 'sharenfs=off' (the default), you can manage NFS mounts via
> JC> /etc/exports like normal. Ideally, you should (?) be able to use
> JC> multiple "-network xxx/netmask" entries on the same export line.
>
> Hmm, that would do the trick; however, it seems to me that ZFS file system
> properties should be producet from the single source.
I interpret this to mean "there should be only one export(5) file used".
That would be something to take up with pjd@, but I'm willing to bet
that behaviour is not going to change. There is probably a good reason
why /etc/zfs/exports exists.
That said, what happens if you edit /etc/zfs/exports by hand, then run
"zfs list -o sharenfs"? Does it show the changes you put in place? If
so, then great -- it means there's two ways a person can edit the
NFS-exported ZFS shares (by editing the file directly, or using "zfs").
> JC> If you absolutely must do it via the 'zfs' command, according to pjd@'s
> JC> EuroBSDCon presentation, this should work:
> JC>
> JC> # /etc/rc.d/mountd start
> JC> # zfs set sharenfs="ro,network=x.x.x.x,mask=y.y.y.y" some_fs
> JC> # /etc/rc.d/mountd reload
>
> Well, this configures only one network per file system, isn't it? BTW, mountd
> will be reloaded by zfs automagically (and, as Kris bumps ito it, it would
> create a problem with race hole of inaccessible NFS mounts while mountd reloads
> the list)
Does the below work?
# zfs set sharenfs="ro,network=aaa/xx,network=bbb/yy,network=ccc/zz" some_fs
If not (e.g. mountd rejects it, or only the first network is used), then
this would indicate a problem with the exports file syntax / problem
with mountd, and not with ZFS.
Solaris solves all of this, AFAIK, by having a central command that
manages the export list: share(1). "zfs" on Solaris even calls this.
BSD does not have this utility.
> JC> However, I'd advocate you consider running pf on the machine running
> JC> mountd instead, and use an actual firewall to block who can talk to
> JC> mountd on the machine exporting the shares.
>
> I would prefer to do both ;) Oh, and hosts.allow possibly too... Or, would it
> be too inefficient?
There is absolutely no reason to do both. Packets arriving on the
network will hit the pf stack before ever reaching mountd, which is
perfect, and a good security model.
Additionally, libwrap (hosts.allow/deny) is a travesty, and should be
nuked from the face of the planet. It provides a false sense of
security -- it doesn't stop someone (anyone!) from being able to
actually connect to that TCP port (or in the case of UDP, I believe a
deny/rejection will actually send back a packet of some kind), which
means people will then know you've got (rpcbind|mountd|ftpd|whatever)
running, which gives an attacker/hacker significant hints about what
your system is running, and more ammunition.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-fs
mailing list