-----BEGIN PGP SIGNED MESSAGE-----
> just put an access list in the /etc/exports file
> as so
> <exported filesystem> -access=<ok host>:<ok host>
> then only the hosts in the list will be allowed to mount the filesystem.
Well, not really, not always, at least if you don't filter 2049 at the
router. There have been *at least* 6-7 very obscure holes that would
circumvent all the checks that the mount daemon implements, examples --
If NFS server has an /etc/exports file which contains an "-access=" string
longer than 256 bytes, the file system for which this line appears will be
exported to the world. [there is a sun patch that fixes it], also
indirect RPC mount calls allow you to mount exported dir, and etc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----