Can't limit access to services like NFS to an IP address range

Revan · Feb 8, 2021

Under Services/NFS i want to limit access to NFS by using the BIND IP Addresses field, but when i click on it, it doesn't let me enter an address or ip range. When clicking on the field, an empty list pops up.

Clicking on the help button says:

"Select IP addresses to listen to for NFS reqeusts. Leave empty for NFS to listen to all available addresses."

I assume the list is there to select some pre defined ip address fields, but where can i define them?

Samuel Tai · Feb 8, 2021

Bind IP is for the NFS server process, and is restricted to the server's local interface IPs. You want to limit access in the shares themselves, where you can define client subnets and host IPs.

Revan · Feb 8, 2021

I understand. Thank you.

jgreco · Feb 8, 2021

Revan said:
When clicking on the field, an empty list pops up.

Also, empty implies you have your system configured for DHCP. This is not recommended, as loss of the DHCP lease will lead to loss of NAS connectivity.

Revan · Feb 8, 2021

Well, my DHCP server is my layer 3 switch. If that one goes down, i also won't have a connection to the NAS. But thanks for the info.

jgreco · Feb 9, 2021

Revan said:
Well, my DHCP server is my layer 3 switch. If that one goes down, i also won't have a connection to the NAS. But thanks for the info.

Not true. Your switch is running a software stack, and it is entirely possible for a switch to run out of memory and start losing processes. It is also entirely possible for the DHCP server to change the address of the NAS, perhaps due to misconfiguration, which will cause the NAS to drop open client sessions, which really messes with stuff like NFS.

Revan · Feb 9, 2021

Okay, i will think about it making it a static ip.

Revan · Feb 10, 2021

jgreco said:
Not true. Your switch is running a software stack, and it is entirely possible for a switch to run out of memory and start losing processes. It is also entirely possible for the DHCP server to change the address of the NAS, perhaps due to misconfiguration, which will cause the NAS to drop open client sessions, which really messes with stuff like NFS.

One more question.

Does that also apply, if the IP adresse which is given by the DHCP server, is always the same?

jgreco · Feb 10, 2021

Well, yes, if the DHCP server crashes, and your lease times out.

This is why it is generally much better to wire down infrastructure with static IP addresses. If you have a setup with redundant DHCP and monitoring/alerting, and you want to use assigned IP addresses via DHCP, you have probably reached a tipping point where the risks are not meaningfully dangerous.

Revan · Feb 10, 2021

Thanks.

Elliot Dierksen · Feb 11, 2021

jgreco said:
where the risks are not meaningfully dangerous.

Now that is an amusing statement!

jgreco · Feb 11, 2021

Elliot Dierksen said:
Now that is an amusing statement!

I'm glad you're easily amused.

Important Announcement for the TrueNAS Community.

Can't limit access to services like NFS to an IP address range

Revan

Explorer

Samuel Tai

Never underestimate your own stupidity

Revan

Explorer

jgreco

Resident Grinch

Revan

Explorer

jgreco

Resident Grinch

Revan

Explorer

Revan

Explorer

jgreco

Resident Grinch

Revan

Explorer

Elliot Dierksen

Guru

jgreco

Resident Grinch

Similar threads