IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] [Re: [NFS] NFS on a freeswan gateway?]

From: Greg Scott (GregScott_at_InfraSupportEtc.com)
Date: Tue Jun 25 2002 - 13:09:07 CEST

Why not take NFS off the gateway machine and put another NFS server box
behind the gateway machine? I have a customer with this setup and it
works well.

- Greg Scott

-----Original Message-----
From: Linas Vepstas [mailto:linas_at_linas.org]
Sent: Monday, June 24, 2002 7:46 PM
To: design_at_lists.freeswan.org; users_at_lists.freeswan.org
Subject: [Users] [Re: [NFS] NFS on a freeswan gateway?]

Dang, forgot to cc the freeswan mailing lists.

---- Forwarded message from Linas Vepstas <linas_at_linas.org> -----

To: Stuart Sheldon <stu_at_actusa.net>
Cc: Trond Myklebust <trond.myklebust_at_fys.uio.no>,
        Linas Vepstas <linas_at_linas.org>, nfs_at_lists.sourceforge.net
Subject: Re: [NFS] NFS on a freeswan gateway?
From: linas_at_linas.org (Linas Vepstas)

On Mon, Jun 24, 2002 at 05:06:15PM -0700, Stuart Sheldon was heard to
remark:
> Linas,
>
> This looks to me to be a configuration issue. RPC always and has
always
> presented it's default route interface IP when connecting.

As per other note, it seems that other things (e.g. telnet) 'present
the default route interface IP' when connecting. News to me ...

> If you are
> attempting to mount to an NFS server on a network that is reachable
from
> the inside interface, you would need to add the default interface IP
to
> your /etc/exports file.

:-( well, of course, that interface is some dynamcially assigned address
that some ISP provided. Hardly a thing I'd want to put in /etc/exports.

Now, I could wire up the internal DNS so that it learns about the
IP address that the ISP assigned. That way, I could put the name of
the machine, instead of a dotted numeric address, in the /etc/exports
file.
But this adds more complexity, and I'm somewhat concerned about the
security
implications (dns spoofing & etc.).

I would be much happier if mount (and telnet & ping &etc). used a source
address that corresponded to the interface from which the packets came.
That way, I could set up my packet filters to roundly reject all traffic
from external interfaces (other than the secure ipsec traffic). 

----
The basic idea is to allow roaming clients to get nfs access to internal
networks.  The roaming client has a built in firewall to block almost
everything, and a freeswan tunnel to get it onto the internal net.
Having the source address be the default route IP addr rather than 
the internal addr just gums it all up.

I think this is a question for the networking gurus.

--linas

-- 
pub  1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org>
PGP Key fingerprint = 8305 2521 6000 0B5E 8984  3F54 64A9 9A82 0104 5933

----- End forwarded message -----

-- 
pub  1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org>
PGP Key fingerprint = 8305 2521 6000 0B5E 8984  3F54 64A9 9A82 0104 5933
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST