Network and Storage Protocols

Hide NFS exports

cschnidr
9,022 Views

Hi,

Is it somehow possible to "hide" NFS exports?

E.g. with showmount anyone who has connectivity to a Filer sees all exports:

---

correctie:~ cschnidr$ showmount -e 10.68.20.10
Exports list on 10.68.20.10:
/vol/vol4com                       10.68.21.0/24 10.68.20.0/24
/vol/vol1src                       10.68.20.0/24 10.68.21.0/24
/vol/vol0                           Everyone
/vol/chdiflr01_vol0                 Everyone
/vol/vol3usr                       10.68.21.0/24 10.68.20.0/24
/vol/vol2bkp                        Everyone
/vol/vol6www                       10.68.21.0/24 10.68.20.0/24
/vol/vol8fieldsup                  10.68.20.30
/vol/vol5pub                       10.68.21.0/24 10.68.20.0/24

---

A customer asks if it is possible to hide exports here, that it is only possible to mount if the correct path is known.

Thanks

Christoph

1 ACCEPTED SOLUTION

chriskranz
9,022 Views

I think this is unfortunately a limitation of the NFS protocol, and not the NetApp implementation of it. The reality is that this offers no security, only obscurity, and if you use a standard naming convention, volume names would be easy to guess.

Real security should be employed from within NFS, such as restricted network access, and UNIX permissions on the file system. NFS v4 adds better support for the security aspects also, so if the customer is concerned that the default NFS v3 doesn't offer them enough, you may want to look at using NFS v4.

It would be nice to see the ability to restrict NFS over certain interfaces only (like we can with iSCSI), and I can see that being easier for NetApp to implement, but I'm unsure whether that is road-mapped any time soon to be honest.

View solution in original post

4 REPLIES 4

chriskranz
9,023 Views

I think this is unfortunately a limitation of the NFS protocol, and not the NetApp implementation of it. The reality is that this offers no security, only obscurity, and if you use a standard naming convention, volume names would be easy to guess.

Real security should be employed from within NFS, such as restricted network access, and UNIX permissions on the file system. NFS v4 adds better support for the security aspects also, so if the customer is concerned that the default NFS v3 doesn't offer them enough, you may want to look at using NFS v4.

It would be nice to see the ability to restrict NFS over certain interfaces only (like we can with iSCSI), and I can see that being easier for NetApp to implement, but I'm unsure whether that is road-mapped any time soon to be honest.

pascalduk
9,022 Views

chriskranz wrote:

It would be nice to see the ability to restrict NFS over certain interfaces only (like we can with iSCSI), and I can see that being easier for NetApp to implement, but I'm unsure whether that is road-mapped any time soon to be honest.

In Ontap 7.3 it is possible to block a protocol on specific interfaces:

options interface.cifs.blocked
options interface.nfs.blocked

chriskranz
9,022 Views

Thanks for that Pascal, I hadn't realised. In that case that is definitely how I would secure and "hide" the NFS shares. Create a dedicated NFS network and block the protocol on all other interfaces. Anything more advanced than this I'm afraid is the limitation of the NFS protocol.

cschnidr
9,022 Views

It seems that unix derivates like HP-UX can do that. They disable any output from showmount requests.

Public