NFS - Network File System

Introduction

Network File System (NFS) is a standard UNIX file service architecture. NFS was designed by Sun Microsystems to provide transparent access to file systems across a network.

With NetBoot, you can use NFS (or HTTP) to deliver a image to client.

Security

The NFS protocol was designed many years ago when network security was not a big concern as it is now. NFS is inherently insecure due to its architecture and shouldn't be deployed outside of a local area network environment.

Export NFS File System Read-Only
With NFS when a server receives a request for a NFS share the primary method of security is the UID of the remote user. When a remote user attempts to access a file on an a NFS server, the user is treated as the local user with the same UID.

This is a problem, a remote client could spoof the UID of the client, including UID 0. Therefore, it is advisable to setup "NFS Export Settings" to "Read-Only" and to prevent clients from reading files they should not have access to  by spoofing their UID. Therfore, you should map all NFS user to a special NFS user with no privileges, "Map All users to nobody".

To make these changes, use Workgroup Manager and connect to your server running NetBoot and NFS. Then click on "Share Points" and select the NetBoot share point(s), then select the "Protocols" pane and select "NFS Export Settings" and select "Map All user to nobody" and "Read-only".

Restrict Access by Client IP or Subnet
You can also restrict access by client IP addresses or subnet.

Note, if you want to allow NetBoot across multiple subnets, Workgroup Manager currently supports only one subnet.  As a workaround you can probably use the command line tool nidump to add additional subnets to the NFS Export Settings, but I haven't personally tested it.

In addition to the NFS Export Settings,  you probably want to setup your Firewall to restrict NFS (along with the other NetBoot services) to clients/subnet that only need these services.