From owner-freebsd-questions@FreeBSD.ORG Thu Jan 11 20:54:09 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0248416A40F for ; Thu, 11 Jan 2007 20:54:09 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from mxout4.cac.washington.edu (mxout4.cac.washington.edu [140.142.33.19]) by mx1.freebsd.org (Postfix) with ESMTP id D4B1913C45D for ; Thu, 11 Jan 2007 20:54:08 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.139]) by mxout4.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id l0BKs8MS005946 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 11 Jan 2007 12:54:08 -0800 X-Auth-Received: from [128.208.4.96] (dzihan.cs.washington.edu [128.208.4.96]) (authenticated authid=youshi10) by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id l0BKs854002061 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 11 Jan 2007 12:54:08 -0800 Message-ID: <45A6A3EF.5030101@u.washington.edu> Date: Thu, 11 Jan 2007 12:54:07 -0800 From: Garrett Cooper User-Agent: Thunderbird 1.5.0.8 (X11/20061108) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <45A688C0.2020506@u.washington.edu> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-PMX-Version: 5.2.2.285561, Antispam-Engine: 2.5.0.283055, Antispam-Data: 2007.1.11.123933 X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0' Subject: Firewalls and RPC (was "Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)") X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 20:54:09 -0000 Chuck Swiger wrote: > On Jan 11, 2007, at 10:58 AM, Garrett Cooper wrote: >> Just wondering if anyone has IPFilter / nfsd setup properly on their >> boxes with any beta versions of FBSD. > > It is typically not useful to implement firewall rules between NFS > servers and legitimate NFS clients. > > The large number of RPC services using randomly assigned ports needed > by NFS and the fact that machines which trust each other enough to > permit filesharing and generally utilize a common set of directory > services to keep the user/group mappings synced mean that the NFS > server & clients should be considered in the same "trust domain" in > most cases. Right, ok. I suppose I was just being lazy/trying to blanket support all machines on my subnet without having to delve into individual hosts, but that makes perfect sense. rpcbind (and RPC in general) strictly uses ports under 1023--assuming that there are enough allocatable ports available for each RPC service in the port range 1-1023--if running as root, does it not? Does the same rationale apply for Samba? That's part of the reason why I'm concerned with running a firewall.. I run smbd/nmbd on the server machine. Either that, or I could switch to another firewall setup (albeit it'd be sort of a pain). Does ipfw / pf work better with RPC than IPFilter? >> Also if you suggest 7-CURRENT, what's the CVS tag for that version? > > The HEAD of the CVS tree (aka "."). Updating the 7-CURRENT won't have > any affect upon firewall configuration for NFS, however. Right. I was just going to see if there was any improvement in how things were implemented in 7-CURRENT, because maybe the issues that I'm encountering had been 'solved' in 7-CURRENT (although I would probably have more issues with core kernel items as they're under heavy development it appears given traffic on the current@ list). Thanks Chuck! -Garrett