topic Re: Netapp ONTAP 8.3.1. NFS hardening in ONTAP Discussions

Netapp ONTAP 8.3.1. NFS hardening

Jellekamma30 — Wed, 04 Jun 2025 19:25:26 GMT

Hi,

we have a nice netapp cluster with 8.3.1 running.

We have multiple vservers for NFS iscsci and CIFS. I am running into the following problem.

A linux coworker of mine is able to mount all the NFS volumes on my filers within /

We have NFS export policies enabled with allows servers in 2 vlans with acces to certain mounts.

However, my coworker can mount / and see all the mounts on the filers.(because he is in one of the 2 vlans)

How can I disable this? The volumes are all mounted under namespaces under /.

So if I remove the export rights of / all the other volumes beneath / will also be unmountable?

thanks!

Re: Netapp ONTAP 8.3.1. NFS hardening

Jellekamma30 — Mon, 22 Aug 2016 12:41:16 GMT

do I even need an export policy on the / ?

(or a blank one)

Re: Netapp ONTAP 8.3.1. NFS hardening

aborzenkov — Mon, 22 Aug 2016 12:50:41 GMT

Yes, you do. Clients must be able to traverse junction tree starting from the top (i.e. "/"), which means "/" must allow at least read-only mount. The only way to harden it would be to restrict visibility of files/directories under "/", so that even if clients mount it, they won't be able to see its content.

Re: Netapp ONTAP 8.3.1. NFS hardening

Jellekamma30 — Mon, 22 Aug 2016 12:57:53 GMT

thanks for your reply!

How can I make it invisible under /?

Re: Netapp ONTAP 8.3.1. NFS hardening

aborzenkov — Mon, 22 Aug 2016 13:43:15 GMT

Set "/" unix-permissions to something like 0711 (of course make sure owner is root) and create mninimal export-policy that only allows ro mount, but no rw, no root etc. Then nobody can list content of /, but still explicitly enter subvolumes or mount them.