Ben, Could you use NFSv4 to obviate the need for statd/lockd?
g Ben Rockwood wrote: > The issue with using IP Filter is this... lockd always opens up at > 4045, but statd is assigned ports, so you don't know what ports you need > to protect, thus you need to whitelist rather than blacklist ports. > Thats a problem in a virtualized environment where you may not know (or > want to know) what ports are open or being used in various zones. Users > in these situations commonly want to only have ports open that they > explicitly open themselves, when they mount NFS suddenly there are > things they don't want world to port scan open. > > benr. > > > Glenn Brunette wrote: >> >> Ben, >> >> The NFS client services are a lot more locked down in Solaris 10 than >> they were in prior versions. This helps to mitigate much of the threats >> normally attributed to these services: >> >> blackhole$ pfexec ppriv -S `pgrep statd` >> 11632: /usr/lib/nfs/statd >> flags = PRIV_AWARE >> E: net_bindmlp,proc_fork >> I: none >> P: net_bindmlp,proc_fork >> L: none >> >> blackhole$ pfexec ppriv -S `pgrep lockd` >> 11637: /usr/lib/nfs/lockd >> flags = PRIV_AWARE >> E: sys_nfs >> I: none >> P: sys_nfs >> L: none >> >> As you can see, they are privilege aware and are configured to have very >> few privileges (just as with the RPC port mapper): >> >> blackhole$ pfexec ppriv -S `pgrep rpcbind` >> 414: /usr/sbin/rpcbind >> flags = PRIV_AWARE >> E: net_bindmlp,net_privaddr,proc_fork,sys_nfs >> I: none >> P: net_bindmlp,net_privaddr,proc_fork,sys_nfs >> L: none >> >> Also, I believe that statd and lockd are no longer needed if you are >> using NFSv4 (only). You still may need things like nfsmapid and >> possibly gssd, however. >> >> Beyond that, what was your concern with using IP Filter as a host-based >> firewall to restrict access to these services? I would like to get a >> better feel for what your concerns are. >> >> Thanks! >> g >> >> >> Ben Rockwood wrote: >>> I've posted this question to nfs-disucss with no response, asking >>> with wide scope here. >>> >>> NFS clients will open 2 or more ports, statd and lockd. While >>> rpcbind can be set as local_only, these ports are still open and >>> could potentially be exploited. For servers on the public internet >>> this is a considerable risk. >>> >>> What is the appropriate way of securing such a system? I'm not aware >>> of any way to restrict these daemons to a single (private) network >>> interface, and I don't believe TCP-Wrappers is applicable. >>> >>> Is there a recommend means of dealing with this other than using a >>> firewall? >>> >>> benr. >>> >>> >>> This message posted from opensolaris.org >>> _______________________________________________ >>> security-discuss mailing list >>> security-discuss at opensolaris.org >> > -- Glenn Brunette Distinguished Engineer Director, GSS Security Office Sun Microsystems, Inc.
