Date: Tue, 2 May 1995 18:00:19 -0600 From: Danny Boulet <danny@nahanni.BouletFermat.ab.ca> To: freebsd-security@FreeBSD.org Subject: Re: Security options for NFS? Message-ID: <199505030000.SAA09731@nahanni.BouletFermat.ab.ca>
index | next in thread | raw e-mail
nlawson@statler.csc.calpoly.edu (Nathan Lawson) says:
> > I'm looking to secure NFS and other services not covered by tcpd -
> > what's the conventional wisdom for FreeBSD 2.0?
>
> Good question. I recommend compiling with the "IPFIREWALL" and
> "IPFIREWALL_VERBOSE" options. Then you can deny packets to those services
> with the ipfw(8) utility. Also, if you don't have the full ability to
> firewall, then you can use the SecureLib library. It compiles with very
> minor tweaking. I am considering sending it in to the ports people or
> whoever if anyone wants it.
>
> For NFS, block tcp and udp ports 111, and udp port 2049.
>
> Good luck,
> --
> Nathan Lawson \ Never let your schooling interfere with your education.
> CSL 490/News Admin \
> (805)756-7180 @Work \ "The steady state of disks is full." -- Ken Thompson
> ---------------------
>
The IPFIREWALL support in FreeBSD 2.0 is based on an older version
of my ipfirewall utility. The latest version (v2.0a) includes the following:
- ability to match packets based on whether or not they:
= are in-bound TCP/IP connection attempts
= are IP fragments
= have IP options defined
- ability to request that a packet be accepted and logged (i.e.
echoed on the console).
- all rejected or logged packet messages indicate which filter
matched the packet (helps when debugging filters).
- interface-specific filters (provides a way to defeat a variety
of IP spoofing style attacks by attaching filters to specific
network interfaces).
- minor cleanup all over the place.
The latest version is available for ftp from:
ftp://ftp.nebulus.net/pub/bsdi/security/ipfirewall_v2.0a.gz
or
ftp://ftp.bsdi.com/contrib/networking/security/ipfirewall_v2.0a.shar.gz
I've got FreeBSD 2.0 on a CD-ROM so I can provide diffs that should allow
ipfirewall v2.0 to be installed on FreeBSD 2.0. Unfortunately, I don't
run FreeBSD on any machine that I've got access to so I can't test the
diffs (I use BSD/OS v2.0 for all my ipfirewall development). Contact me
directly (danny@bouletfermat.ab.ca) if you're interested in these diffs.
Once someone running FreeBSD has verified that they work, I'll include them
in my standard release.
-Danny
P.S. A bound 30 page user's guide is provided to those who contribute the
suggested minimum shareware amount ($60 Canadian or roughly $44 US these days).
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199505030000.SAA09731>