Gluster's native "auth.allow/auth.reject" configuration and/or iptables configured to drop all packets to/from a particular IP range will stop unwanted clients accessing the services. Your comment on spoofing IPs is understood, but if a client claimed it was the IP of another Gluster node, you'd have other problems manifesting (like failures within Gluster itself, as traffic destined for another brick would go to the wrong place). Others have made comments about separate networks, and that would probably be your best bet. Gluster does technically listen on all interfaces, but with appropriate physical networking setup (completely separate network ranges on physically separate interfaces or VLANs) you could circumvent security issues there. For example, our Gluster infrastructure lives in a shared environment with specific clients who aren't granted access. We do this via physical networking setup, VLANs, and iptables on our core Linux firewall. Production VFX users are the only ones who can have network level access, and everyone else can't see the network range that Gluster lives on. I could trivially create another VLAN for the Gluster nodes to talk amongst themselves, and force all users to only access services on top of Gluster (Samba, etc) on our production network. -Dan ---------------- Dan Mons R&D SysAdmin Unbreaker of broken things Cutting Edge http://cuttingedge.com.au On 23 January 2014 01:43, Peter B. <pb@xxxxxxxxxxxxxxxxx> wrote: > On 01/21/2014 10:31 PM, Dan Mons wrote: >> On 22 January 2014 05:19, Peter B. <pb@xxxxxxxxxxxxxxxxx> wrote: >>> The clients in fact *do* only access it over Samba. I just figured that >>> *if* one user connected a GNU/Linux machine to the LAN, he could simply >>> connect with write permissions using the GlusterFS Linux client. All >>> he'd have to do for authenticating is to spoof one of the storage-IPs. >> man iptables > > I've been working with iptables for many years, but in this particular > case, I fail to see how they would help. > Maybe I'm overlooking something very obvious? > > Could you please elaborate your suggestion a bit? > > > Thanks, > Pb > _______________________________________________ > Gluster-users mailing list > Gluster-users@xxxxxxxxxxx > http://supercolony.gluster.org/mailman/listinfo/gluster-users _______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-users
