I had a situation where I wanted to restrict access to a project on my ZFS storage appliance (7320) to a small list of hosts on a private network. The project needs to be accessible r/w, with root permissions from 4 hosts that I need to specify by IP address.
192.168.28.2 192.168.28.3 192.168.28.6 192.168.28.7
However, other hosts in the 192.168.28.X/22 range must not be able to mount the share.
The way to achieve this is to lock down the permissions and then explicitly grant access to the systems you need. You have 3 ways of specifying the names of hosts for exceptions:-
- Host(FQDN) or Netgroup – This requires you to have your private hostnames registered in DNS, which was not possible in my case. You CANNOT enter an IP address in this field.
- DNS Domain – all of my hosts are in the same domain, so this was not fine grained enough.
- Network – Counter-intuitively, it is network that will allow me to specify individual IP addresses, using a CIDR netmask that allows only 1 host (the netmask does not have to match that of the underlying interface)
First thing – set the default NFS share mode to ‘NONE’ so that non-excepted hosts cannot mount the share.
Then add exception for each host, using a /32 netmask which limits it to a single IP.
So, a quick test. This one should work
root@myhost-d1:/stage# ifconfig stor_ipmp0 stor_ipmp0: flags=8001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,IPMP> mtu 65520 index 3 inet 192.168.28.2 netmask fffffc00 broadcast 192.168.31.255 groupname stor_ipmp0 root@myhost-d1:/# mount -f nfs -o rw 192.168.28.1:/export/stage /mnt root@myhost-d1:/# df -k /mnt Filesystem 1024-blocks Used Available Capacity Mounted on 192.168.28.1:/export/stage 10737418209 31 10737418178 1% /mnt
This one should fail
root@myhost-d3:~# ifconfig stor_ipmp0 stor_ipmp0: flags=8001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,IPMP> mtu 65520 index 3 inet 192.168.28.4 netmask fffffc00 broadcast 192.168.31.255 groupname stor_ipmp0 root@myhost-d3:~# mount -f nfs -o rw 192.168.28.1:/export/stage /mnt nfs mount: mount: /mnt: Permission denied