Date: Thu, 10 May 2001 06:54:47 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Alfred Perlstein <bright@wintelcom.net> Cc: Sam <free@freep.org>, Freebsd-Stable <freebsd-stable@FreeBSD.ORG> Subject: Re: nfs and ipfw Message-ID: <200105101355.f4ADt4r07717@cwsys.cwsent.com> In-Reply-To: Your message of "Wed, 09 May 2001 17:45:13 PDT." <20010509174513.D18676@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein writes: > * Sam <free@freep.org> [010509 17:32] wrote: > > does anyone know what rules one needs to get nfs through ipfw? > > > > thank you so much, Sam > > Please do a web search, the way RPC services are done it's a difficult > task to acomplish. Not only difficult but leaves large enough holes in your firewall to drive a Mack truck though it. Even if you could mitigate the holes in your firewall, the NFS protocol is extremely insecure which can lead to total compromise of your site. If both sites are trusted, e.g. managed by you personally, you could set up a VPN tunnel between both sites and route your NFS traffic through it. Having said that, I personally don't even allow NFS traffic through my VPN tunnels, as I try to keep sites as separate as possible reducing the risk of total compromise, should one of the sites be compromised, by containing any damage to only one site and if I can to one machine. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105101355.f4ADt4r07717>