Re: configuring NFS via ipsec.

Becke · ‎07-02-2006

Hi Guys,

I need to enable nfs using ipsec between to machines which are on the same network, so what I want to achieve and wants to know is as follows.

1. NFS protocol must be configured to listen on one dedicated network interface, this is to be configured via ipsec, so access to NFS is restricted to single host and if any other server attempts to connect to NFS server will be denied as if NFS daemon is not available.

2. What port numbers NFS uses so I can configure it via ipsec?

Please advise ASAP
Raf

Jeff_Traigle · ‎07-03-2006

1. NFS itself does not handle per-interface configurations. You can restrict which systems can use the service by including the "access" option when you export a directory. See the exports(4) man page.

/data -access=client

2. From the /etc/services file:

nfsd-keepalive 1110/udp # Client status info
nfsd-status 1110/tcp # Cluster status info
nfsd 2049/udp # NFS remote file system
nfsd 2049/tcp # NFS remote file system

--
Jeff Traigle

Arunvijai_4 · ‎07-03-2006

Hi Raf,

If you want secure NFS comminication, you can easily achieve it through Stunnel. It is part of Internet Express, you can download it from,

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

http://www.stunnel.org/

An alternate way that you can consider.

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Steven E. Protter · ‎07-03-2006

Shalom Raf,

Maybe NFS 4, but otherwise you are asking something of NFS that its not capable of.

NFS at least up to V3 transmits its data unencrypted. It should not be used for sensitive data.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Becke · ‎07-03-2006

Thanks for your responses guys, I'm doing reading on ipsec and see how I go...I really need to use ipsec to configure nfs...

talk to you later

Many thanks
Raf

vazjuanp · ‎05-16-2012

Hi,

I am having the same issue you are describing. Since it has been a while since this was posted, did you find a solution? In that case it would be very helpful for me.

Thanks!!

Dave Olker · ‎05-16-2012

What are your exact requirements? Do you need to use IPSec? Do you want to send NFS data using encryption? What are the specific needs?

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

vazjuanp · ‎05-21-2012

I have to limit the access of servers allowed to share directories through NFS by IP address. I have been taking a look at the IPsec documentation and I think I have to edit a host to host connection template located here:

/var/adm/ipsec/templates/host-to-host

Not really sure about it tough...

Dave Olker · ‎05-21-2012

@vazjuanp wrote:
I have to limit the access of servers allowed to share directories through NFS by IP address.

How about just setting up an access list to include the specific NFS clients you want to allow to mount based on their IP address or a netgroup that only contains the clients you want to mount the filesystems? I don't see a reason for IPsec in this situation.

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

vazjuanp · ‎05-22-2012

I was thinking of using IPsec since it was another's person suggestion but I think you are right and that should do it. Could I do it using the exportfs command with the access=access_list option?

Dave Olker · ‎05-22-2012

You've never mentioned which version of HP-UX you're running on the NFS server. 11.23 uses the exportfs command and 11.31 uses the share command. In either case you would use the access_list portion of the command to identify which specific clients you want to allow to mount the filesystem.

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

vazjuanp · ‎05-22-2012

The HP-UX version is 11.31 so I'll use the share command. Thank you very much for helping me. I will let you know how it works!

vazjuanp · ‎07-04-2012

I've ended up using IPFilter since all I wanted to do was blocking anyone but the server mounting that folder. Thank you everyone for the help!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: configuring NFS via ipsec.

configuring NFS via ipsec.