IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] [Re: [NFS] NFS on a freeswan gateway?]

From: Linas Vepstas (linas_at_linas.org)
Date: Tue Jun 25 2002 - 02:45:41 CEST

Dang, forgot to cc the freeswan mailing lists.

---- Forwarded message from Linas Vepstas <linas_at_linas.org> -----

To: Stuart Sheldon <stu_at_actusa.net>
Cc: Trond Myklebust <trond.myklebust_at_fys.uio.no>,
        Linas Vepstas <linas_at_linas.org>, nfs_at_lists.sourceforge.net
Subject: Re: [NFS] NFS on a freeswan gateway?
From: linas_at_linas.org (Linas Vepstas)

On Mon, Jun 24, 2002 at 05:06:15PM -0700, Stuart Sheldon was heard to remark:
> Linas,
>
> This looks to me to be a configuration issue. RPC always and has always
> presented it's default route interface IP when connecting.

As per other note, it seems that other things (e.g. telnet) 'present
the default route interface IP' when connecting. News to me ...

> If you are
> attempting to mount to an NFS server on a network that is reachable from
> the inside interface, you would need to add the default interface IP to
> your /etc/exports file.

:-( well, of course, that interface is some dynamcially assigned address
that some ISP provided. Hardly a thing I'd want to put in /etc/exports.

Now, I could wire up the internal DNS so that it learns about the
IP address that the ISP assigned. That way, I could put the name of
the machine, instead of a dotted numeric address, in the /etc/exports file.
But this adds more complexity, and I'm somewhat concerned about the security
implications (dns spoofing & etc.).

I would be much happier if mount (and telnet & ping &etc). used a source
address that corresponded to the interface from which the packets came.
That way, I could set up my packet filters to roundly reject all traffic
from external interfaces (other than the secure ipsec traffic). 

----
The basic idea is to allow roaming clients to get nfs access to internal
networks.  The roaming client has a built in firewall to block almost
everything, and a freeswan tunnel to get it onto the internal net.
Having the source address be the default route IP addr rather than 
the internal addr just gums it all up.

I think this is a question for the networking gurus.

--linas

-- 
pub  1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org>
PGP Key fingerprint = 8305 2521 6000 0B5E 8984  3F54 64A9 9A82 0104 5933

----- End forwarded message -----

-- 
pub  1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org>
PGP Key fingerprint = 8305 2521 6000 0B5E 8984  3F54 64A9 9A82 0104 5933
_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:16 CEST