Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 May 2001 09:10:34 -0700 (PDT)
From:      Milan Andric <mandric@EECS.Berkeley.EDU>
To:        Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc:        Alfred Perlstein <bright@wintelcom.net>, Sam <free@freep.org>, Freebsd-Stable <freebsd-stable@FreeBSD.ORG>
Subject:   Re: nfs and ipfw 
Message-ID:  <Pine.SOL.4.30.0105100906590.22139-100000@argus.EECS.Berkeley.EDU>
In-Reply-To: <200105101355.f4ADt4r07717@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Can't you just allow udp from you nfs server ip?
in rc.firewall:

${fwcmd} add pass udp from ${ip} to NFS-SERVER
${fwcmd} add pass udp from NFS-SERVER to ${ip}

Milan

On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote:

> In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein
> writes:
> > * Sam <free@freep.org> [010509 17:32] wrote:
> > > does anyone know what rules one needs to get nfs through ipfw?
> > >
> > > thank you so much, Sam
> >
> > Please do a web search, the way RPC services are done it's a difficult
> > task to acomplish.
>
> Not only difficult but leaves large enough holes in your firewall to
> drive a Mack truck though it.
>
> Even if you could mitigate the holes in your firewall, the NFS protocol
> is extremely insecure which can lead to total compromise of your site.
> If both sites are trusted, e.g. managed by you personally, you could
> set up a VPN tunnel between both sites and route your NFS traffic
> through it.  Having said that, I personally don't even allow NFS
> traffic through my VPN tunnels, as I try to keep sites as separate as
> possible reducing the risk of total compromise, should one of the sites
> be compromised, by containing any damage to only one site and if I can
> to one machine.
>
>
> Regards,                         Phone:  (250)387-8437
> Cy Schubert                        Fax:  (250)387-5766
> Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.30.0105100906590.22139-100000>