[SGVLUG] NFD over Internet

Chris Smith cbsmith at gmail.com
Mon Dec 5 16:26:58 PST 2005


On 12/5/05, Jeff Carlson <jeff at ultimateevil.org> wrote:
> I wouldn't use SSH.  First of all, by default, Linux NFS is UDP, so you
> can't tunnel it through SSH.  The only NFS implementation that I know of
> as TCP by default is Solaris (although this could be true of other SysV
> Unixes).  It is possible to switch NFS to TCP in Linux, but if you know
> anything about TCP versus UDP networking, you might agree that with this
> kind of traffic, UDP is the way to go.  Of course, when you're dealing
> with a single small file, the overhead of TCP might be worth it.

Ironically, it's with large files that the overhead of TCP tends to be
a non-issue. For example, our NAS vendor recommends we use TCP for
best performance. In general, it's a misnomer that TCP adds
significant overhead. Particularly over "longer" links like the
Internet, it tends to be advantageous to use TCP for this kind of
thing. This is part of the reason why "WebNFS" was TCP over NFS.

> One of the main problems with exposing NFS to the Internet is that you
> must let the portmapper be visible on the Internet.  Is that an issue?
> There have been root exploitable bugs in the portmapper in the past.

Honestly, exposing NFS to the Internet is probably far more dangerous
than exposing portmapper. Not that exposing portmapper is a low-risk
proposition, but I'd be more worried about exploits in NFS itself.

> For NFS, I would definitely consider implementing IPsec on all involved
> nodes.

Yup, IPSec is the right way to go with this anyway.

> With a database, you have two ways of securing the data, either TLS or
> once again, IPsec.  I prefer IPsec in this case because you don't make
> the database port visibly open to anyone else.  And, of course, you can
> use them both.

In some ways exposing the database is a larger security risk, as
through the wonders of stored procedures, database actually can
execute code, while filesystems generally don't.

A nice solution for sharing files in a fairly straightforward way
would be WebDAV. Looks a fair bit like a filesystem, but in reality
bares more resemblence to a version control system. Avoids the race
conditions and such with filesystems.

--
Chris


More information about the SGVLUG mailing list