ZFS filesystem: export for more than one subnet
Dmitry Morozovsky
marck at rinet.ru
Mon Sep 8 07:21:50 UTC 2008
On Sun, 7 Sep 2008, Jeremy Chadwick wrote:
JC> That said, what happens if you edit /etc/zfs/exports by hand, then run
JC> "zfs list -o sharenfs"? Does it show the changes you put in place? If
JC> so, then great -- it means there's two ways a person can edit the
JC> NFS-exported ZFS shares (by editing the file directly, or using "zfs").
Nope, ZFS does not track /etc/zfs/export, hence "Do not edit!" comment in it.
JC> Does the below work?
JC>
JC> # zfs set sharenfs="ro,network=aaa/xx,network=bbb/yy,network=ccc/zz" some_fs
JC>
JC> If not (e.g. mountd rejects it, or only the first network is used), then
JC> this would indicate a problem with the exports file syntax / problem
JC> with mountd, and not with ZFS.
It is of course FreeBSD' mountd problem (more than it does not understand CIDR
slashed notation):
marck at beaver:~# cat /etc/zfs/exports
# !!! DO NOT EDIT THIS FILE MANUALLY !!!
/FreeBSD -ro -alldirs -network 195.54.192.0 -mask 255.255.255.192
255.255.255.192
marck at beaver:~# zfs get sharenfs bv/FreeBSD
NAME PROPERTY VALUE SOURCE
bv/FreeBSD sharenfs -ro -alldirs -network 195.54.192.0 -mask 255.255.255.192 local
marck at beaver:~# zfs set sharenfs="ro,alldirs,network=195.54.192.0/26,192.168.39.0/24" bv/FreeBSD
marck at beaver:~# zfs get sharenfs bv/FreeBSD
NAME PROPERTY VALUE SOURCE
bv/FreeBSD sharenfs ro,alldirs,network=195.54.192.0/26,192.168.39.0/24 local
Sep 8 11:18:18 beaver mountd[25992]: can't get address info for host 192.168.39.0/24
Sep 8 11:18:18 beaver mountd[25992]: bad host 192.168.39.0/24, skipping
Sep 8 11:18:18 beaver mountd[25992]: network/host conflict
Sep 8 11:18:18 beaver mountd[25992]: bad exports list line /FreeBSD -ro -alldirs -network
JC> > I would prefer to do both ;) Oh, and hosts.allow possibly too... Or, would it
JC> > be too inefficient?
JC>
JC> There is absolutely no reason to do both. Packets arriving on the
JC> network will hit the pf stack before ever reaching mountd, which is
JC> perfect, and a good security model.
JC>
JC> Additionally, libwrap (hosts.allow/deny) is a travesty, and should be
JC> nuked from the face of the planet. It provides a false sense of
JC> security -- it doesn't stop someone (anyone!) from being able to
JC> actually connect to that TCP port (or in the case of UDP, I believe a
JC> deny/rejection will actually send back a packet of some kind), which
JC> means people will then know you've got (rpcbind|mountd|ftpd|whatever)
JC> running, which gives an attacker/hacker significant hints about what
JC> your system is running, and more ammunition.
Well, all there actually make sense. Thanks, I'll think about it a little bit
more.
Sincerely,
D.Marck [DM5020, MCK-RIPE, DM3-RIPN]
[ FreeBSD committer: marck at FreeBSD.org ]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck at rinet.ru ***
------------------------------------------------------------------------
More information about the freebsd-fs
mailing list