NFS - Bind to Interface?

[yoloclin]

I've currently got a truenas host which I'm looking to leverage as a SAN for a oVirt cluster. Currently, it has a high speed direct connection to the oVirt host, and an ethernet connection to the wider network for management.

I'd probably prefer NFS over iSCSI for storage give the complexity of setting up the latter, but my implementation MUST be secure. Optimally authentication would be preferred, but failing that, binding NFS to the oVirt interface would suffice. My train of thought is even if I bind NFS to permit only a specific host, this creates an implicit trust on network infrastructure, which I'd like to avoid.

Is this possible? If not what are the sane alternatives which aren't SMB? Is there some any host-based mechanism preventing allowed hosts routing via an interface given there's no firewall on truenas?

I'll repeat: configuring allowed hosts will not suffice in this setup for previously mentioned reasons.

 

[Patrick M. Hausen]

You can do that. Have you looked at the service configuration? See screenshot, please.

 

[yoloclin]

That is binding to an IP address, not a network interface.

 

[Patrick M. Hausen]

Use the IP address of that network interface. Since TrueNAS by default does not route, NFS will be inaccessible on all other interfaces.

 

[rogerh]

Use the IP address of that network interface. Since TrueNAS by default does not route, NFS will be inaccessible on all other interfaces.

Does this actually work? Certainly for AFP and SMB setting only one IP to bind to does not work, and despite setting this in the GUI menu the services bind to all available external IP addresses. See:

https://jira.ixsystems.com/browse/NAS-107279

 

[Patrick M. Hausen]

It's a feature in the UI so I took for granted that it works as it should. I wasn't aware of issues with this. Sorry.

Edit: and you are perfectly right. What the absolute ... iX?

Code:

tcp4       0      0 *.111                  *.*                    LISTEN     
tcp6       0      0 *.111                  *.*                    LISTEN     
udp4       0      0 *.111                  *.*                   
udp6       0      0 *.111                  *.*