From owner-freebsd-stable Thu May 10 9:16:24 2001 Delivered-To: freebsd-stable@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 5703337B423 for ; Thu, 10 May 2001 09:16:21 -0700 (PDT) (envelope-from dhw@whistle.com) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id f4AGGKM29345; Thu, 10 May 2001 09:16:20 -0700 (PDT) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma029342; Thu, 10 May 2001 09:16:02 -0700 Received: (from dhw@localhost) by pau-amma.whistle.com (8.11.1/8.11.1) id f4AGG2u97467; Thu, 10 May 2001 09:16:02 -0700 (PDT) Date: Thu, 10 May 2001 09:16:02 -0700 (PDT) From: David Wolfskill Message-Id: <200105101616.f4AGG2u97467@pau-amma.whistle.com> To: mandric@EECS.Berkeley.EDU Subject: Re: nfs and ipfw Cc: freebsd-stable@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >Date: Thu, 10 May 2001 09:10:34 -0700 (PDT) >From: Milan Andric >Can't you just allow udp from you nfs server ip? >in rc.firewall: >${fwcmd} add pass udp from ${ip} to NFS-SERVER >${fwcmd} add pass udp from NFS-SERVER to ${ip} >Milan >On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote: >> Not only difficult but leaves large enough holes in your firewall to >> drive a Mack truck though it. Yup; that would qualify as "large enough holes in your firewall to drive a Mack truck though it". At least. (Was it your intent to provide an example of what Cy wrote...?) Actually, if you want all UDP to flow unhindered, why bother with a "firewall"??!? (OK; there could be some reasons -- like just tracking usage, to using dummynet facilities... but calling the result a "firewall" isn't very useful.) Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message