Restricting NFS clients to particular IP addresses blocks _all_ addresses

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I'm having trouble getting a Solaris 11.0 server to restrict access to an NFS share to a single client system.



I have roughly the following value for the share property of a tank/mail ZFS filesystem:



name=mail,path=/tank/mail,prot=nfs,none=*,rw=@10.0.23.43,sec=sys


I cannot mount the share on the client (running Solaris 11.3) at 10.0.23.43. I attempt like so:



mount -F nfs keisha:/tank/mail /tmp/mnt


and get the following error:



nfs mount: mount: /tmp/mnt: Permission denied


If I remove none=* then the client mounts fine. However, it is my understanding that doing so will allow access to clients at any address, which I want to prevent (and yes, I'm aware that it may be possible to spoof the address, but prefer to add whatever hoops I can.)



I have tried reversing the order of none and rw, and this changes nothing. I've tried rw=@10.0.23.43/32 and that doesn't work either.



I've tried opening it up to the whole subnet with rw=@10.0.0.0/16 and even that doesn't work. I've also double-checked that I have the client's address right. The client can't be using IPv6 to access the server, as the server's DNS entry is only IPv4 and I'm accessing it by name.



Why does restricting the client addresses prevent access even from a client at an explicitly allowed address? How do I fix this?






solaris nfs







share|improve this question



















  • 1





    If you only define one client, there should be no access from any other one. And by giving the complete IP, you do not need the '@'.

    – ridgy
    Jun 28 '17 at 14:22











  • @ridgy I'll try taking out the '@', but the man page does indicate it even for a single IP. I think it's to signal that it's not a hostname. 10.0.23.43 could be a valid hostname if someone gets crazy enough to pay $185,000 for .43 and ICANN gets crazy enough to approve. :)

    – Kevin
    Jun 28 '17 at 21:19















0















I'm having trouble getting a Solaris 11.0 server to restrict access to an NFS share to a single client system.



I have roughly the following value for the share property of a tank/mail ZFS filesystem:



name=mail,path=/tank/mail,prot=nfs,none=*,rw=@10.0.23.43,sec=sys


I cannot mount the share on the client (running Solaris 11.3) at 10.0.23.43. I attempt like so:



mount -F nfs keisha:/tank/mail /tmp/mnt


and get the following error:



nfs mount: mount: /tmp/mnt: Permission denied


If I remove none=* then the client mounts fine. However, it is my understanding that doing so will allow access to clients at any address, which I want to prevent (and yes, I'm aware that it may be possible to spoof the address, but prefer to add whatever hoops I can.)



I have tried reversing the order of none and rw, and this changes nothing. I've tried rw=@10.0.23.43/32 and that doesn't work either.



I've tried opening it up to the whole subnet with rw=@10.0.0.0/16 and even that doesn't work. I've also double-checked that I have the client's address right. The client can't be using IPv6 to access the server, as the server's DNS entry is only IPv4 and I'm accessing it by name.



Why does restricting the client addresses prevent access even from a client at an explicitly allowed address? How do I fix this?






solaris nfs







share|improve this question



















  • 1





    If you only define one client, there should be no access from any other one. And by giving the complete IP, you do not need the '@'.

    – ridgy
    Jun 28 '17 at 14:22











  • @ridgy I'll try taking out the '@', but the man page does indicate it even for a single IP. I think it's to signal that it's not a hostname. 10.0.23.43 could be a valid hostname if someone gets crazy enough to pay $185,000 for .43 and ICANN gets crazy enough to approve. :)

    – Kevin
    Jun 28 '17 at 21:19













0












0








0








I'm having trouble getting a Solaris 11.0 server to restrict access to an NFS share to a single client system.



I have roughly the following value for the share property of a tank/mail ZFS filesystem:



name=mail,path=/tank/mail,prot=nfs,none=*,rw=@10.0.23.43,sec=sys


I cannot mount the share on the client (running Solaris 11.3) at 10.0.23.43. I attempt like so:



mount -F nfs keisha:/tank/mail /tmp/mnt


and get the following error:



nfs mount: mount: /tmp/mnt: Permission denied


If I remove none=* then the client mounts fine. However, it is my understanding that doing so will allow access to clients at any address, which I want to prevent (and yes, I'm aware that it may be possible to spoof the address, but prefer to add whatever hoops I can.)



I have tried reversing the order of none and rw, and this changes nothing. I've tried rw=@10.0.23.43/32 and that doesn't work either.



I've tried opening it up to the whole subnet with rw=@10.0.0.0/16 and even that doesn't work. I've also double-checked that I have the client's address right. The client can't be using IPv6 to access the server, as the server's DNS entry is only IPv4 and I'm accessing it by name.



Why does restricting the client addresses prevent access even from a client at an explicitly allowed address? How do I fix this?






solaris nfs







share|improve this question
















I'm having trouble getting a Solaris 11.0 server to restrict access to an NFS share to a single client system.



I have roughly the following value for the share property of a tank/mail ZFS filesystem:



name=mail,path=/tank/mail,prot=nfs,none=*,rw=@10.0.23.43,sec=sys


I cannot mount the share on the client (running Solaris 11.3) at 10.0.23.43. I attempt like so:



mount -F nfs keisha:/tank/mail /tmp/mnt


and get the following error:



nfs mount: mount: /tmp/mnt: Permission denied


If I remove none=* then the client mounts fine. However, it is my understanding that doing so will allow access to clients at any address, which I want to prevent (and yes, I'm aware that it may be possible to spoof the address, but prefer to add whatever hoops I can.)



I have tried reversing the order of none and rw, and this changes nothing. I've tried rw=@10.0.23.43/32 and that doesn't work either.



I've tried opening it up to the whole subnet with rw=@10.0.0.0/16 and even that doesn't work. I've also double-checked that I have the client's address right. The client can't be using IPv6 to access the server, as the server's DNS entry is only IPv4 and I'm accessing it by name.



Why does restricting the client addresses prevent access even from a client at an explicitly allowed address? How do I fix this?






solaris nfs




solaris nfs






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jun 29 '17 at 11:46







Kevin

















asked Jun 28 '17 at 11:18









KevinKevin

199112




199112







  • 1





    If you only define one client, there should be no access from any other one. And by giving the complete IP, you do not need the '@'.

    – ridgy
    Jun 28 '17 at 14:22











  • @ridgy I'll try taking out the '@', but the man page does indicate it even for a single IP. I think it's to signal that it's not a hostname. 10.0.23.43 could be a valid hostname if someone gets crazy enough to pay $185,000 for .43 and ICANN gets crazy enough to approve. :)

    – Kevin
    Jun 28 '17 at 21:19












  • 1





    If you only define one client, there should be no access from any other one. And by giving the complete IP, you do not need the '@'.

    – ridgy
    Jun 28 '17 at 14:22











  • @ridgy I'll try taking out the '@', but the man page does indicate it even for a single IP. I think it's to signal that it's not a hostname. 10.0.23.43 could be a valid hostname if someone gets crazy enough to pay $185,000 for .43 and ICANN gets crazy enough to approve. :)

    – Kevin
    Jun 28 '17 at 21:19







1




1





If you only define one client, there should be no access from any other one. And by giving the complete IP, you do not need the '@'.

– ridgy
Jun 28 '17 at 14:22





If you only define one client, there should be no access from any other one. And by giving the complete IP, you do not need the '@'.

– ridgy
Jun 28 '17 at 14:22













@ridgy I'll try taking out the '@', but the man page does indicate it even for a single IP. I think it's to signal that it's not a hostname. 10.0.23.43 could be a valid hostname if someone gets crazy enough to pay $185,000 for .43 and ICANN gets crazy enough to approve. :)

– Kevin
Jun 28 '17 at 21:19





@ridgy I'll try taking out the '@', but the man page does indicate it even for a single IP. I think it's to signal that it's not a hostname. 10.0.23.43 could be a valid hostname if someone gets crazy enough to pay $185,000 for .43 and ICANN gets crazy enough to approve. :)

– Kevin
Jun 28 '17 at 21:19










2 Answers
2






active

oldest

votes


















0














Looks like ridgy answered your question, if it's shared to just one host. If you have multiple, using a semi-colon, or creating a netgroup could be used.



If you need/want additional blocking, you could look into using ipfilters or the Solaris Firewall derived from OpenBSD PF (pkg:/network/firewall).






share|improve this answer

























  • Feel free to incorporate the comments into your answer, as comments can be deleted, making this answer much less useful.

    – Jeff Schaller
    Jun 28 '17 at 19:11


















0














The comment by ridgy hinted at the answer. What was needed was to remove none, leaving:



name=mail,path=/tank/mail,prot=nfs,rw=@10.0.23.43,sec=sys


(It might be possible to omit the @ but the documentation calls for it so I figured it better to leave it in, in case the interpretation becomes more strict in future.)



This is a case of poor documentation. The man page states (emphasis mine):




none

Access is disallowed to all clients. The ro or rw options can override none.



none=access_list

Access is not allowed to any client that matches the access list. The exception is when the access list is an asterisk (*), in which case ro or rw can override none.




Not only does this very explicitly indicate that my client at 10.0.23.43 should have gained access even with none (which it did not,) it also implies that you actually need none in order to avoid clients not listed in rw getting at least some kind of access, because otherwise, why would the override exception for none=* have even (supposedly) been implemented? It would be redundant!



I didn't have any other NFS clients handy to test, so I changed the IP number of my client and confirmed that, indeed, none is not required in order for clients not otherwise listed to be denied access. Just to be sure, I added ro as a test, and my client at a different address could then read but not write.



Though this seems to be the solution, I'm not happy with it, because the documentation implies that what I'm doing is leaving it wide open, and indeed I might be doing just that in a future version that corrects itself to obey the intentions implied by the documentation. (At least I have external firewalls.)






share|improve this answer

























  • Did you see this part of the man page for share_nfs: The list is searched sequentially until a match is found that either grants or denies access I suspect that if you had reversed your list to rw=@10.0.23.43,none=* it may have worked as you intended.

    – Andrew Henle
    Jun 29 '17 at 19:13






  • 1





    The documentation indeed is not consistent. Especially for ZFS, there is docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html, which refers to docs.oracle.com/cd/E23824_01/html/821-1462/… somewhere. But at the options section, none= is only specified for smb, not for nfs. This seems to be sort of "Try and Error".

    – ridgy
    Jun 29 '17 at 21:41











  • @AndrewHenle I did see that statement, which by context applies to the contents of the access list given to the rw, ro, or none option, as opposed to the order of those options themselves. Nevertheless I did try reversing the options as in your example and the outcome was the same.

    – Kevin
    Jun 30 '17 at 10:46











  • @Kevin Well, it's either a bug or you've just been welcomed to Solaris documentation. If it's not a bug, the behavior you're seeing almost certainly is documented somewhere in the documentation, but it's likely to be a footnote, obscure example, or a parenthetical expression on a man page at best peripherally related to sharing over NFS. The only way to find it is to know where it is in the first place, or open a support ticket and be told where it's documented. The newer, Oracle-era additions to Solaris also don't seem to be as rigorously documented as the Sun-legacy parts.

    – Andrew Henle
    Jun 30 '17 at 12:10











  • @AndrewHenle Yup, definitely have been experiencing that welcome! :)

    – Kevin
    Jul 5 '17 at 19:14










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f373894%2frestricting-nfs-clients-to-particular-ip-addresses-blocks-all-addresses%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Looks like ridgy answered your question, if it's shared to just one host. If you have multiple, using a semi-colon, or creating a netgroup could be used.



If you need/want additional blocking, you could look into using ipfilters or the Solaris Firewall derived from OpenBSD PF (pkg:/network/firewall).






share|improve this answer

























  • Feel free to incorporate the comments into your answer, as comments can be deleted, making this answer much less useful.

    – Jeff Schaller
    Jun 28 '17 at 19:11















0














Looks like ridgy answered your question, if it's shared to just one host. If you have multiple, using a semi-colon, or creating a netgroup could be used.



If you need/want additional blocking, you could look into using ipfilters or the Solaris Firewall derived from OpenBSD PF (pkg:/network/firewall).






share|improve this answer

























  • Feel free to incorporate the comments into your answer, as comments can be deleted, making this answer much less useful.

    – Jeff Schaller
    Jun 28 '17 at 19:11













0












0








0







Looks like ridgy answered your question, if it's shared to just one host. If you have multiple, using a semi-colon, or creating a netgroup could be used.



If you need/want additional blocking, you could look into using ipfilters or the Solaris Firewall derived from OpenBSD PF (pkg:/network/firewall).






share|improve this answer















Looks like ridgy answered your question, if it's shared to just one host. If you have multiple, using a semi-colon, or creating a netgroup could be used.



If you need/want additional blocking, you could look into using ipfilters or the Solaris Firewall derived from OpenBSD PF (pkg:/network/firewall).







share|improve this answer














share|improve this answer



share|improve this answer








edited Jun 28 '17 at 17:24

























answered Jun 28 '17 at 16:34









sleepyweaselsleepyweasel

88329




88329












  • Feel free to incorporate the comments into your answer, as comments can be deleted, making this answer much less useful.

    – Jeff Schaller
    Jun 28 '17 at 19:11

















  • Feel free to incorporate the comments into your answer, as comments can be deleted, making this answer much less useful.

    – Jeff Schaller
    Jun 28 '17 at 19:11
















Feel free to incorporate the comments into your answer, as comments can be deleted, making this answer much less useful.

– Jeff Schaller
Jun 28 '17 at 19:11





Feel free to incorporate the comments into your answer, as comments can be deleted, making this answer much less useful.

– Jeff Schaller
Jun 28 '17 at 19:11













0














The comment by ridgy hinted at the answer. What was needed was to remove none, leaving:



name=mail,path=/tank/mail,prot=nfs,rw=@10.0.23.43,sec=sys


(It might be possible to omit the @ but the documentation calls for it so I figured it better to leave it in, in case the interpretation becomes more strict in future.)



This is a case of poor documentation. The man page states (emphasis mine):




none

Access is disallowed to all clients. The ro or rw options can override none.



none=access_list

Access is not allowed to any client that matches the access list. The exception is when the access list is an asterisk (*), in which case ro or rw can override none.




Not only does this very explicitly indicate that my client at 10.0.23.43 should have gained access even with none (which it did not,) it also implies that you actually need none in order to avoid clients not listed in rw getting at least some kind of access, because otherwise, why would the override exception for none=* have even (supposedly) been implemented? It would be redundant!



I didn't have any other NFS clients handy to test, so I changed the IP number of my client and confirmed that, indeed, none is not required in order for clients not otherwise listed to be denied access. Just to be sure, I added ro as a test, and my client at a different address could then read but not write.



Though this seems to be the solution, I'm not happy with it, because the documentation implies that what I'm doing is leaving it wide open, and indeed I might be doing just that in a future version that corrects itself to obey the intentions implied by the documentation. (At least I have external firewalls.)






share|improve this answer

























  • Did you see this part of the man page for share_nfs: The list is searched sequentially until a match is found that either grants or denies access I suspect that if you had reversed your list to rw=@10.0.23.43,none=* it may have worked as you intended.

    – Andrew Henle
    Jun 29 '17 at 19:13






  • 1





    The documentation indeed is not consistent. Especially for ZFS, there is docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html, which refers to docs.oracle.com/cd/E23824_01/html/821-1462/… somewhere. But at the options section, none= is only specified for smb, not for nfs. This seems to be sort of "Try and Error".

    – ridgy
    Jun 29 '17 at 21:41











  • @AndrewHenle I did see that statement, which by context applies to the contents of the access list given to the rw, ro, or none option, as opposed to the order of those options themselves. Nevertheless I did try reversing the options as in your example and the outcome was the same.

    – Kevin
    Jun 30 '17 at 10:46











  • @Kevin Well, it's either a bug or you've just been welcomed to Solaris documentation. If it's not a bug, the behavior you're seeing almost certainly is documented somewhere in the documentation, but it's likely to be a footnote, obscure example, or a parenthetical expression on a man page at best peripherally related to sharing over NFS. The only way to find it is to know where it is in the first place, or open a support ticket and be told where it's documented. The newer, Oracle-era additions to Solaris also don't seem to be as rigorously documented as the Sun-legacy parts.

    – Andrew Henle
    Jun 30 '17 at 12:10











  • @AndrewHenle Yup, definitely have been experiencing that welcome! :)

    – Kevin
    Jul 5 '17 at 19:14















0














The comment by ridgy hinted at the answer. What was needed was to remove none, leaving:



name=mail,path=/tank/mail,prot=nfs,rw=@10.0.23.43,sec=sys


(It might be possible to omit the @ but the documentation calls for it so I figured it better to leave it in, in case the interpretation becomes more strict in future.)



This is a case of poor documentation. The man page states (emphasis mine):




none

Access is disallowed to all clients. The ro or rw options can override none.



none=access_list

Access is not allowed to any client that matches the access list. The exception is when the access list is an asterisk (*), in which case ro or rw can override none.




Not only does this very explicitly indicate that my client at 10.0.23.43 should have gained access even with none (which it did not,) it also implies that you actually need none in order to avoid clients not listed in rw getting at least some kind of access, because otherwise, why would the override exception for none=* have even (supposedly) been implemented? It would be redundant!



I didn't have any other NFS clients handy to test, so I changed the IP number of my client and confirmed that, indeed, none is not required in order for clients not otherwise listed to be denied access. Just to be sure, I added ro as a test, and my client at a different address could then read but not write.



Though this seems to be the solution, I'm not happy with it, because the documentation implies that what I'm doing is leaving it wide open, and indeed I might be doing just that in a future version that corrects itself to obey the intentions implied by the documentation. (At least I have external firewalls.)






share|improve this answer

























  • Did you see this part of the man page for share_nfs: The list is searched sequentially until a match is found that either grants or denies access I suspect that if you had reversed your list to rw=@10.0.23.43,none=* it may have worked as you intended.

    – Andrew Henle
    Jun 29 '17 at 19:13






  • 1





    The documentation indeed is not consistent. Especially for ZFS, there is docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html, which refers to docs.oracle.com/cd/E23824_01/html/821-1462/… somewhere. But at the options section, none= is only specified for smb, not for nfs. This seems to be sort of "Try and Error".

    – ridgy
    Jun 29 '17 at 21:41











  • @AndrewHenle I did see that statement, which by context applies to the contents of the access list given to the rw, ro, or none option, as opposed to the order of those options themselves. Nevertheless I did try reversing the options as in your example and the outcome was the same.

    – Kevin
    Jun 30 '17 at 10:46











  • @Kevin Well, it's either a bug or you've just been welcomed to Solaris documentation. If it's not a bug, the behavior you're seeing almost certainly is documented somewhere in the documentation, but it's likely to be a footnote, obscure example, or a parenthetical expression on a man page at best peripherally related to sharing over NFS. The only way to find it is to know where it is in the first place, or open a support ticket and be told where it's documented. The newer, Oracle-era additions to Solaris also don't seem to be as rigorously documented as the Sun-legacy parts.

    – Andrew Henle
    Jun 30 '17 at 12:10











  • @AndrewHenle Yup, definitely have been experiencing that welcome! :)

    – Kevin
    Jul 5 '17 at 19:14













0












0








0







The comment by ridgy hinted at the answer. What was needed was to remove none, leaving:



name=mail,path=/tank/mail,prot=nfs,rw=@10.0.23.43,sec=sys


(It might be possible to omit the @ but the documentation calls for it so I figured it better to leave it in, in case the interpretation becomes more strict in future.)



This is a case of poor documentation. The man page states (emphasis mine):




none

Access is disallowed to all clients. The ro or rw options can override none.



none=access_list

Access is not allowed to any client that matches the access list. The exception is when the access list is an asterisk (*), in which case ro or rw can override none.




Not only does this very explicitly indicate that my client at 10.0.23.43 should have gained access even with none (which it did not,) it also implies that you actually need none in order to avoid clients not listed in rw getting at least some kind of access, because otherwise, why would the override exception for none=* have even (supposedly) been implemented? It would be redundant!



I didn't have any other NFS clients handy to test, so I changed the IP number of my client and confirmed that, indeed, none is not required in order for clients not otherwise listed to be denied access. Just to be sure, I added ro as a test, and my client at a different address could then read but not write.



Though this seems to be the solution, I'm not happy with it, because the documentation implies that what I'm doing is leaving it wide open, and indeed I might be doing just that in a future version that corrects itself to obey the intentions implied by the documentation. (At least I have external firewalls.)






share|improve this answer















The comment by ridgy hinted at the answer. What was needed was to remove none, leaving:



name=mail,path=/tank/mail,prot=nfs,rw=@10.0.23.43,sec=sys


(It might be possible to omit the @ but the documentation calls for it so I figured it better to leave it in, in case the interpretation becomes more strict in future.)



This is a case of poor documentation. The man page states (emphasis mine):




none

Access is disallowed to all clients. The ro or rw options can override none.



none=access_list

Access is not allowed to any client that matches the access list. The exception is when the access list is an asterisk (*), in which case ro or rw can override none.




Not only does this very explicitly indicate that my client at 10.0.23.43 should have gained access even with none (which it did not,) it also implies that you actually need none in order to avoid clients not listed in rw getting at least some kind of access, because otherwise, why would the override exception for none=* have even (supposedly) been implemented? It would be redundant!



I didn't have any other NFS clients handy to test, so I changed the IP number of my client and confirmed that, indeed, none is not required in order for clients not otherwise listed to be denied access. Just to be sure, I added ro as a test, and my client at a different address could then read but not write.



Though this seems to be the solution, I'm not happy with it, because the documentation implies that what I'm doing is leaving it wide open, and indeed I might be doing just that in a future version that corrects itself to obey the intentions implied by the documentation. (At least I have external firewalls.)







share|improve this answer














share|improve this answer



share|improve this answer








edited Jun 29 '17 at 11:47

























answered Jun 29 '17 at 11:21









KevinKevin

199112




199112












  • Did you see this part of the man page for share_nfs: The list is searched sequentially until a match is found that either grants or denies access I suspect that if you had reversed your list to rw=@10.0.23.43,none=* it may have worked as you intended.

    – Andrew Henle
    Jun 29 '17 at 19:13






  • 1





    The documentation indeed is not consistent. Especially for ZFS, there is docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html, which refers to docs.oracle.com/cd/E23824_01/html/821-1462/… somewhere. But at the options section, none= is only specified for smb, not for nfs. This seems to be sort of "Try and Error".

    – ridgy
    Jun 29 '17 at 21:41











  • @AndrewHenle I did see that statement, which by context applies to the contents of the access list given to the rw, ro, or none option, as opposed to the order of those options themselves. Nevertheless I did try reversing the options as in your example and the outcome was the same.

    – Kevin
    Jun 30 '17 at 10:46











  • @Kevin Well, it's either a bug or you've just been welcomed to Solaris documentation. If it's not a bug, the behavior you're seeing almost certainly is documented somewhere in the documentation, but it's likely to be a footnote, obscure example, or a parenthetical expression on a man page at best peripherally related to sharing over NFS. The only way to find it is to know where it is in the first place, or open a support ticket and be told where it's documented. The newer, Oracle-era additions to Solaris also don't seem to be as rigorously documented as the Sun-legacy parts.

    – Andrew Henle
    Jun 30 '17 at 12:10











  • @AndrewHenle Yup, definitely have been experiencing that welcome! :)

    – Kevin
    Jul 5 '17 at 19:14

















  • Did you see this part of the man page for share_nfs: The list is searched sequentially until a match is found that either grants or denies access I suspect that if you had reversed your list to rw=@10.0.23.43,none=* it may have worked as you intended.

    – Andrew Henle
    Jun 29 '17 at 19:13






  • 1





    The documentation indeed is not consistent. Especially for ZFS, there is docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html, which refers to docs.oracle.com/cd/E23824_01/html/821-1462/… somewhere. But at the options section, none= is only specified for smb, not for nfs. This seems to be sort of "Try and Error".

    – ridgy
    Jun 29 '17 at 21:41











  • @AndrewHenle I did see that statement, which by context applies to the contents of the access list given to the rw, ro, or none option, as opposed to the order of those options themselves. Nevertheless I did try reversing the options as in your example and the outcome was the same.

    – Kevin
    Jun 30 '17 at 10:46











  • @Kevin Well, it's either a bug or you've just been welcomed to Solaris documentation. If it's not a bug, the behavior you're seeing almost certainly is documented somewhere in the documentation, but it's likely to be a footnote, obscure example, or a parenthetical expression on a man page at best peripherally related to sharing over NFS. The only way to find it is to know where it is in the first place, or open a support ticket and be told where it's documented. The newer, Oracle-era additions to Solaris also don't seem to be as rigorously documented as the Sun-legacy parts.

    – Andrew Henle
    Jun 30 '17 at 12:10











  • @AndrewHenle Yup, definitely have been experiencing that welcome! :)

    – Kevin
    Jul 5 '17 at 19:14
















Did you see this part of the man page for share_nfs: The list is searched sequentially until a match is found that either grants or denies access I suspect that if you had reversed your list to rw=@10.0.23.43,none=* it may have worked as you intended.

– Andrew Henle
Jun 29 '17 at 19:13





Did you see this part of the man page for share_nfs: The list is searched sequentially until a match is found that either grants or denies access I suspect that if you had reversed your list to rw=@10.0.23.43,none=* it may have worked as you intended.

– Andrew Henle
Jun 29 '17 at 19:13




1




1





The documentation indeed is not consistent. Especially for ZFS, there is docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html, which refers to docs.oracle.com/cd/E23824_01/html/821-1462/… somewhere. But at the options section, none= is only specified for smb, not for nfs. This seems to be sort of "Try and Error".

– ridgy
Jun 29 '17 at 21:41





The documentation indeed is not consistent. Especially for ZFS, there is docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html, which refers to docs.oracle.com/cd/E23824_01/html/821-1462/… somewhere. But at the options section, none= is only specified for smb, not for nfs. This seems to be sort of "Try and Error".

– ridgy
Jun 29 '17 at 21:41













@AndrewHenle I did see that statement, which by context applies to the contents of the access list given to the rw, ro, or none option, as opposed to the order of those options themselves. Nevertheless I did try reversing the options as in your example and the outcome was the same.

– Kevin
Jun 30 '17 at 10:46





@AndrewHenle I did see that statement, which by context applies to the contents of the access list given to the rw, ro, or none option, as opposed to the order of those options themselves. Nevertheless I did try reversing the options as in your example and the outcome was the same.

– Kevin
Jun 30 '17 at 10:46













@Kevin Well, it's either a bug or you've just been welcomed to Solaris documentation. If it's not a bug, the behavior you're seeing almost certainly is documented somewhere in the documentation, but it's likely to be a footnote, obscure example, or a parenthetical expression on a man page at best peripherally related to sharing over NFS. The only way to find it is to know where it is in the first place, or open a support ticket and be told where it's documented. The newer, Oracle-era additions to Solaris also don't seem to be as rigorously documented as the Sun-legacy parts.

– Andrew Henle
Jun 30 '17 at 12:10





@Kevin Well, it's either a bug or you've just been welcomed to Solaris documentation. If it's not a bug, the behavior you're seeing almost certainly is documented somewhere in the documentation, but it's likely to be a footnote, obscure example, or a parenthetical expression on a man page at best peripherally related to sharing over NFS. The only way to find it is to know where it is in the first place, or open a support ticket and be told where it's documented. The newer, Oracle-era additions to Solaris also don't seem to be as rigorously documented as the Sun-legacy parts.

– Andrew Henle
Jun 30 '17 at 12:10













@AndrewHenle Yup, definitely have been experiencing that welcome! :)

– Kevin
Jul 5 '17 at 19:14





@AndrewHenle Yup, definitely have been experiencing that welcome! :)

– Kevin
Jul 5 '17 at 19:14

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f373894%2frestricting-nfs-clients-to-particular-ip-addresses-blocks-all-addresses%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






-

Popular posts from this blog

Peggy Mitchell

Image
EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
Read more

Palaiologos

Image
Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
Read more

The Forum (Inglewood, California)

Image
The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
Read more