From owner-freebsd-net@FreeBSD.ORG Fri Jun 15 18:11:55 2007 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F8AB16A477 for ; Fri, 15 Jun 2007 18:11:55 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id 0A7CF13C480 for ; Fri, 15 Jun 2007 18:11:55 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay5.apple.com (relay5.apple.com [17.128.113.35]) by mail-out4.apple.com (Postfix) with ESMTP id ECA0D91E580; Fri, 15 Jun 2007 11:11:54 -0700 (PDT) Received: from relay5.apple.com (unknown [127.0.0.1]) by relay5.apple.com (Symantec Mail Security) with ESMTP id DEB7A29C003; Fri, 15 Jun 2007 11:11:54 -0700 (PDT) X-AuditID: 11807123-9c2d3bb000007975-40-4672d66a2c66 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay5.apple.com (Apple SCV relay) with ESMTP id CE3AC30400C; Fri, 15 Jun 2007 11:11:54 -0700 (PDT) In-Reply-To: <20070615072734.GC8093@obiwan.tataz.chchile.org> References: <20070615072734.GC8093@obiwan.tataz.chchile.org> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <0E2012CE-0FEA-4A79-B386-13E4C58AA41A@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Fri, 15 Jun 2007 11:11:54 -0700 To: Jeremie Le Hen X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-net@FreeBSD.org Subject: Re: Firewalling NFS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 18:11:55 -0000 On Jun 15, 2007, at 12:27 AM, Jeremie Le Hen wrote: > It appears nearly impossible to firewall a NFS server on FreeBSD. Yes and no. It's quite easy to firewall NFS along with everything else using a "default deny" ruleset. It's highly difficult to place a restrictive firewall ruleset between an NFS server and legitimate NFS clients, and, more relevantly, it's an open question as to whether it is useful (ie, results in a noticeable benefit to security) to try. The primary purpose of a firewall is to restrict traffic between machines or subnets which are in different trust domains, but you'd darn well better be willing to trust the NFS clients which you intend to connect to your NFS server to access the data on that NFS server, or else you shouldn't be letting them connect via NFS at all. This is because NFS is, by-and-large, unsecurable to a knowledgeable attacker who has NFS client access anyway, or even just the ability to see and inject packets into the same subnet that either the client or server is on. This is less true if NFSv4 via SecureRPC is involved, but otherwise a simple MitM attack via ARP-cache poisoning or similar will get the attacker quite far... -- -Chuck