From owner-freebsd-questions Mon Mar 18 6:30:38 2002 Delivered-To: freebsd-questions@freebsd.org Received: from klima.physik.uni-mainz.de (klima.Physik.Uni-Mainz.DE [134.93.180.162]) by hub.freebsd.org (Postfix) with ESMTP id 655CE37B402 for ; Mon, 18 Mar 2002 06:30:31 -0800 (PST) Received: from klima.Physik.Uni-Mainz.DE (Sturm@klima.Physik.Uni-Mainz.DE [134.93.180.162]) by klima.physik.uni-mainz.de (8.11.6/8.11.6) with ESMTP id g2IEUUd15182 for ; Mon, 18 Mar 2002 15:30:30 +0100 (CET) (envelope-from ohartman@klima.physik.uni-mainz.de) Date: Mon, 18 Mar 2002 15:30:29 +0100 (CET) From: "Hartmann, O." To: freebsd-questions@freebsd.org Subject: NIS/YP, NFS and PORTMAPPER over BRIDGED FIREWALL, please help Message-ID: <20020318150752.H12650-100000@klima.physik.uni-mainz.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello. I have to deal with a complicated scnenario of bad network architecture, but since I can not redesign the network, I have to deal with what's given. Our institute lives within a shared numeric domain and our pool of IPs is shared with two other departments, but each of these departments have 'unique' aliases. Our department has a server farm, located in a special room and I want to 'secure' this room and for that I built up a bridge with PicoBSD that should do a firewalling work. So far. The PicoBSD works well, it is already set up. But it run into trouble setting up dedicated rules for each hosts. I want to scetch my ideas: There are five main servers behind the bridge, so at the beginning of the filter rule table I do this for each host behind the bridge: $fwcmd add 190 skipto 1000 ip from any to $host1 $fwcmd add 200 skipto 1000 ip from $host1 to any Intention is to have for each host a dedicated 'block' of rulesets. Then I define a block of rulesets for this special host and initialy I try to allow all traffic to and from the 'inner' servers by doing this: $fwcmd add 1010 allow ip from $host1 to $host2 $fwcmd add 1020 allow ip from $host2 to $host1 $fwcmd add 1030 allow ip from $host1 to $host3 $fwcmd add 1040 allow ip from $host3 to $host1 . . . and I do this for each host to ensure, that traffic can pass. Well, this maybe seems foolish, but I have no other idea to work around the problem we have with the chaos of the given network. At this moment I test the bridge with only one host behind the firewall and it is a NIS/YP client, the NIS/YP servers are 'outbound', but that should not care. The problem occuring is, that NFS works fine, but ssh, telnet and other services, which seem to 'authenticate' a incoming user via NIS/YP fail! I opened port 111 for portmap, both TCP and UDP, but nothing happened. I read the manuals of portmap and I understand the way it works this way: a client 'asks' for a service and get response from portmap giving service number and the port number the wanted service/server is listen on. Then the client tries again on this port. But only NFS has a fix port (2049), all other services a nonpredicteable in theory, or is this wrong? Sorry, I'm a network novice this way and before studying to much literature I would like to ask the net ... If this is true (I mean how portmap works) it seems to be impossible to 'allow' dedicated ports to receive traffic. This 'theory' gets more likely as I receive messages of the host on the console (that behind the bridge) it is missing its NIS/YP domain (domain not responding). Opening the bridge by this $fwcmd add allow ip from $net:$mask to $net:$mask 'solves' the problem, but in our situation here it means: the bridge is open for everything, so I could deinstall it and the result would be the same ... -- MfG O. Hartmann ohartman@klima.physik.uni-mainz.de ------------------------------------------------------------------ IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) ------------------------------------------------------------------ Johannes Gutenberg Universitaet Mainz Becherweg 21 55099 Mainz Tel: +496131/3924662 (Maschinenraum) Tel: +496131/3924144 (Buero) FAX: +496131/3923532 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message