(Me too, but you never learn anything by hanging out with people who
tell you stuff you already know. :)

I think NFS4 isn't the only answer though. There's AFS too, and other
variants. I don't think NFS4 should necessarily be the "next"
networked filesystem that NetBSD uses simply because it's called NFS,
but I haven't really done my NFS4 homework either.

This subject probably has the ability to get way too big inside this
thread. It probably already has.

Seems like there are too many ways to solve these types of problems,
depending on preference, application, etc. I'm probably not smart
enough to make this statement, but when one starts really considering
how to solve these problems in some sort of unified way, Plan9 seems
to make more and more sense.

But then, I don't think anyone is really requiring unity, just some
good solution for their particular situation and preference. Or maybe
I'm missing something?

Seems like I've opened a can of worms here, which I didn't mean to do.
My comment earlier about having some sort of firewall software
included with an operating system really is only a reaction to the
idea that one would have to block a port with a "firewall" in order to
run an application which can't control it's use of IP addresses or
ports. I think this is common, and it's kind of sad. It's the only
simple solution I found to the original subject though.

Andy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thor> I think that if we provided sane primitives for discovering
Thor> the set of valid destination addresses for a host, and binding
Thor> a socket so that it would receive packets on _some addresses_
Thor> (not one, and not all) it would be easy to add the kind of
Thor> access control you seem to want (and which a lot of other
Thor> people would probably like as well) to our applications.

Thor> In this case, we would add it to mountd, rpcbind, and the
Thor> in-kernel NFS server. It would be a nice example of the
Thor> interface, actually.
Matthew> But should individual applications need to know about it?

The "127.0.0.2" hack means that an application can pick one of three
things:
a) 0.0.0.0 (present case)
b) specific IP (often available, but NOT ALWAYS)

Our mountd/etc. needs to have (b) added, at a minimum.

Matthew> An alternative would be to let, say, inetd determine this
Matthew> even for separate servers and provide a notification
Matthew> interface if the server really needs to know what
Matthew> interface/address(s) it is listening on.

That sounds really complicated, but maybe I'm mis-understanding you.

- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] ***@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRS1nFICLcPvd0N1lAQLQlgf/SNsCSTg0pXvJveR+h3x9nKGKzruioIOZ
iapbbtmM89N3oQXuztV2dxw0ZxqE5h6cCs5/cmmyR/bJsqcsvk9OHpbpTCZjiI6i
AP4iBcz4IuCRGOYBi6ckAAh1vp+w1K+VZ5NUfB6L+QiVC8TqKhioQJXQrZZFyWmN
ycahdaC0Xk8Y3yvcWiJbiBw9pggrZ+FnaYDkXvsTkTXjxHi9YBdd3KvbkUNHMzUO
mev7EfuAJa/fr6J66lCA0MKyOl8xfpFE9noAgW5+djpVILE6RXaTYmlrROSm1/i1
+5TvRmjNj4yYiEpOY46ntTysQFGnu0dXt7HfuOXBhFxTKkO7bOlOBA==
=C98M
-----END PGP SIGNATURE-----

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de