mattross Absent Member.
Absent Member.
2389 views

XNFS deny many IP addresses

I need to deny a block of IP addresses from accessing some NFS volumes, let's say for example the range 192.168.0.0-192.168.0.254.

Is there an alternate way I can do it without specifying each IP as in:

XNFS SHARE /VOL1 -anon -rw -deny=192.168.0.0:192.168.0.1:192.168.0.2....192.168.0.254 -root=server1:server2

Thanks.
Labels (1)
0 Likes
5 Replies
Marcel_Cox Absent Member.
Absent Member.

Re: XNFS deny many IP addresses

I think you are using the wrong tool to do what you want to do.
From the addresses you state, it looks like you want to prevent a whole
subnet from accessing the server through NFS. I think such a rule could
better be implemented on a firewall than at application level.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: XNFS deny many IP addresses

mattross wrote:
> I need to deny a block of IP addresses from accessing some NFS volumes,
> let's say for example the range 192.168.0.0-192.168.0.254.
>
> Is there an alternate way I can do it without specifying each IP as
> in:
>
> XNFS SHARE /VOL1 -anon -rw
> -deny=192.168.0.0:192.168.0.1:192.168.0.2....192.168.0.254
> -root=server1:server2
>
> Thanks.
>
>


It's been a while, since I played with it, but the following should do
it I think, if your subnet mask is 255.255.255.0

XNFS SHARE /VOL1 -anon -rw -deny=@192.168.0.0/24
-root=server1:server2

Following is from comments in the /etc/exports file.

#06 Export /nfs/dir6 in NetWare mode with read/write access to all hosts in
# the network 192.168.0.0/255.255.255.224 and read-only to all other
hosts.
# Anonymous access is allowed from all hosts.
#
#/nfs/dir6 -rw=@192.168.0/27 -ro -anon -nwmode

Regards,
0 Likes
mattross Absent Member.
Absent Member.

Re: XNFS deny many IP addresses

That's interesting. I was hoping it supported something more than individual IP numbers.

Do you know if I can use multiple -deny options in the form -deny=@192.168.1.0/24:@192.168.3.0/24:@192.168.4.0/24 ?

It would also be really handy to negate it as well, such as -deny=!@192.168.2.0/24 - am I pushing my luck too far?

I agree in principle this should be done by a firewall. I have been looking at 'filtcfg' to see if that could do it but I'm not really sure yet.

Even better would be to not use NFsv3 and use NFsv4 instead, but I suppose that is not likely to be supported for the foreseeable future? If not are there any 3rd party commercial NFSv4 addons I could investigate?
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: XNFS deny many IP addresses

mattross wrote:
> That's interesting. I was hoping it supported something more than
> individual IP numbers.
>
> Do you know if I can use multiple -deny options in the form
> -deny=@192.168.1.0/24:@192.168.3.0/24:@192.168.4.0/24 ?
>


I think you can.

> It would also be really handy to negate it as well, such as
> -deny=!@192.168.2.0/24 - am I pushing my luck too far?
>


That's a allow list right ? Why not give only this in rw= or ro= ?

It's been a while and I don't recollect exact, must to be simple to try
it out though.
0 Likes
mattross Absent Member.
Absent Member.

Re: XNFS deny many IP addresses

Thanks I'll test it and see what happens.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.