From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 30 03:33:43 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CBBEA16A423
	for <freebsd-questions@freebsd.org>;
	Wed, 30 Nov 2005 03:33:43 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 451A643D70
	for <freebsd-questions@freebsd.org>;
	Wed, 30 Nov 2005 03:33:42 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id 74D185FA0;
	Tue, 29 Nov 2005 22:33:39 -0500 (EST)
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 90210-02; Tue, 29 Nov 2005 22:33:38 -0500 (EST)
Received: from [192.168.1.3] (pool-68-161-122-227.ny325.east.verizon.net
	[68.161.122.227])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pi.codefab.com (Postfix) with ESMTP id 7AF265D20;
	Tue, 29 Nov 2005 22:33:38 -0500 (EST)
Message-ID: <438D1D95.7010503@mac.com>
Date: Tue, 29 Nov 2005 22:33:41 -0500
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Aaron P. Martinez" <ml@proficuous.com>
References: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com>
	<438D1894.90500@mac.com>
	<63871.192.168.3.69.1133320948.squirrel@webmail.proficuous.com>
In-Reply-To: <63871.192.168.3.69.1133320948.squirrel@webmail.proficuous.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at codefab.com
Cc: freebsd-questions@freebsd.org
Subject: Re: pf blocking nfs
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2005 03:33:44 -0000

Aaron P. Martinez wrote:
[ ... ]
> Actually my network looks like this:
> 
> INT---firewall------internal router/firewall---------good lan
>         |                        |
>         |                        |---------insecure lan (windoze machines)
>         |
>         |----DMZ
> 
> the good lan is the only one that does nfs, so the nfs doesn't actually
> pass through the firewall, just connects to the internal router/firewall. 
> I am simply trying to avoid a worst case scenario (internal router gets
> compromised) so trying to allow ONLY return packets.  Is this unfeasable?

I take it that your internal firewall box has three NICs, then?

Normally, your firewall should not be doing anything else but security
and would not be mounting NFS or depending on any other services on your
network.  If that is not possible, you should permit traffic through the
interface on the "good LAN".

-- 
-Chuck