Coda File System

Re: Denying access to coda

From: <jaharkes_at_cs.cmu.edu>
Date: Mon, 29 Mar 1999 13:15:02 -0500
wallner_at_speed-link.de said:
| after setting up coda with help from this list I have another
| question. Is it possible to use coda with access control  facilities
| like tcp_wrappers or something similar? Or do I  have to use ACLs to
| achieve this. 

| What I want is to make it impossible for any machine not on my subnet
| to mount /coda. 

Hi Florian,

I don't know how tcpwrappers would fit into Coda, most communication is 
over UDP, and you probably wouldn't want a double reverse domain lookup 
on every rpc2 message. However, I noticed that portmap/nfs on Redhat is 
using tcpwrappers with UDP traffic, so it would be possible to use it.

Currently the easiest way to make sure people outside of your subnet
cannot mount your filesystem is to use firewall rules on the coda 
server machines to block off any access to udp port 2432 from outside
the subnet. Here are examples for Linux, because I don't know how to
do this on FreeBSD or NetBSD.

<my_subnet> is something similar to 128.2.0.0/16, or 10.10.10.0/24.

linux 2.0.x:
	ipfwadm -I -a accept -P udp -S <my_subnet> -D 0.0.0.0/0 2432
	ipfwadm -I -a reject -P udp -D 0.0.0.0/0 2432

linux 2.1.x:
	ipchains -N coda
	ipchains -A coda -s <my_subnet> -j RETURN
	ipchains -A coda -j REJECT
	ipchains -A input -p udp --destination-port 2432 -j coda

Jan
Received on 1999-03-29 13:17:48