Patrice Dumas wrote: > On Mon, Jan 19, 2009 at 09:08:11AM -0500, Steve Dickson wrote: > >> The discussion about the fact mountd (statd) no longer accept connections from >> unknown IP address (similar to other system daemon) due to a "fix" in the tcp >> wrapper code is at: > > This is not a change in tcp_wrapper, but in nfs-utils. And as far as I > can tell this is not already upstream, so this looks like (but I may > be wrong) a fedora specific change in mountd. > > I think that it is a very questionable change. Maybe it makes sense > for NFSv4 (but is mountd involved in NFSv4?), but for NFSv3, it > doesn't make sense to me, since there is no security at all in any > case. > > I may very well be missing something, though. > >> Through some side bar discussion it been suggested an update to >> the man page is probably need (which I agree) and maybe a flag >> of some sort to allow unknown IP address access. I must admit, I'm >> a bit hesitant to do the later, since I don't think its a good idea >> to allow unknown client access any system daemon... > > Why not? Forcing reverse DNS lookup to be working seems to me to be > quite extreme. In a typical local network, for NFSv3, not having > reverse lookup working for clients seems quite natural to me, especially > on NATed networks. hmm... the real need for the lookup is so the 'mountd: <hostsname>' in either /etc/hosts.deny/allow will work... so I guess the idea of not don the tcp wrappers check at all might be the answer... steved. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
