Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 May 2001 06:54:47 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Alfred Perlstein <bright@wintelcom.net>
Cc:        Sam <free@freep.org>, Freebsd-Stable <freebsd-stable@FreeBSD.ORG>
Subject:   Re: nfs and ipfw 
Message-ID:  <200105101355.f4ADt4r07717@cwsys.cwsent.com>
In-Reply-To: Your message of "Wed, 09 May 2001 17:45:13 PDT." <20010509174513.D18676@fw.wintelcom.net> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein 
writes:
> * Sam <free@freep.org> [010509 17:32] wrote:
> > does anyone know what rules one needs to get nfs through ipfw?
> > 
> > thank you so much, Sam
> 
> Please do a web search, the way RPC services are done it's a difficult
> task to acomplish.

Not only difficult but leaves large enough holes in your firewall to 
drive a Mack truck though it.

Even if you could mitigate the holes in your firewall, the NFS protocol 
is extremely insecure which can lead to total compromise of your site.  
If both sites are trusted, e.g. managed by you personally, you could 
set up a VPN tunnel between both sites and route your NFS traffic 
through it.  Having said that, I personally don't even allow NFS 
traffic through my VPN tunnels, as I try to keep sites as separate as 
possible reducing the risk of total compromise, should one of the sites 
be compromised, by containing any damage to only one site and if I can 
to one machine.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105101355.f4ADt4r07717>