From owner-freebsd-stable  Thu May 10  6:56:25 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id ECD5937B422
	for <freebsd-stable@FreeBSD.ORG>; Thu, 10 May 2001 06:56:22 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA01999;
	Thu, 10 May 2001 06:56:08 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda01997; Thu May 10 06:55:51 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f4ADtjx12324;
	Thu, 10 May 2001 06:55:45 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdS12322; Thu May 10 06:55:04 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.3/8.9.1) id f4ADt4r07717;
	Thu, 10 May 2001 06:55:04 -0700 (PDT)
Message-Id: <200105101355.f4ADt4r07717@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdFs7710; Thu May 10 06:54:47 2001
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: schubert
To: Alfred Perlstein <bright@wintelcom.net>
Cc: Sam <free@freep.org>, Freebsd-Stable <freebsd-stable@FreeBSD.ORG>
Subject: Re: nfs and ipfw 
In-reply-to: Your message of "Wed, 09 May 2001 17:45:13 PDT."
             <20010509174513.D18676@fw.wintelcom.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 10 May 2001 06:54:47 -0700
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein 
writes:
> * Sam <free@freep.org> [010509 17:32] wrote:
> > does anyone know what rules one needs to get nfs through ipfw?
> > 
> > thank you so much, Sam
> 
> Please do a web search, the way RPC services are done it's a difficult
> task to acomplish.

Not only difficult but leaves large enough holes in your firewall to 
drive a Mack truck though it.

Even if you could mitigate the holes in your firewall, the NFS protocol 
is extremely insecure which can lead to total compromise of your site.  
If both sites are trusted, e.g. managed by you personally, you could 
set up a VPN tunnel between both sites and route your NFS traffic 
through it.  Having said that, I personally don't even allow NFS 
traffic through my VPN tunnels, as I try to keep sites as separate as 
possible reducing the risk of total compromise, should one of the sites 
be compromised, by containing any damage to only one site and if I can 
to one machine.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message