[TriLUG] Question About NFS Client Access Config
John Vaughters via TriLUG
trilug at trilug.org
Wed Apr 10 09:41:36 EDT 2019
>Why should iptables be considered cheating? Defense in depth is a well regarded concept and adding
>a layer of host based security is a common tactic in controlling access to resources on a server.
>Seems rather like doing security with one hand tied behind your back.
iptables or firewalld is definitely not cheating if it solves what you are trying to accomplish. If however, it is just to reduce access to a security flaw in the software that owns the failed scanned port, then you have not solved the issue, but merely reduced access to the issue. Making it harder for any attacker to know what to gain access to and then attack from that location. However, in this NFS case it doesn't quite matter. The internal firewall will accomplish what NFS is trying to accomplish, albeit failing at the moment.
The only downside to host side firewalls is maintenance. It becomes quite a task if you have a bunch of servers and they each have their own firewall to maintain. However, isn't security a lot of work no matter what direction you choose? A rhetorical YES!!!
We actually do not have enough info to hep troubleshooting further. For instance, what was mounted? Was it RW or RO? I'm not asking, just saying to troubleshoot, you need more info from the scan. Contacting RHEL will most likely raise those questions, but RHEL support is probably best plan here.
Good Luck!
John Vaughters
More information about the TriLUG
mailing list