From owner-freebsd-stable Thu May 10 9:37:30 2001 Delivered-To: freebsd-stable@freebsd.org Received: from relay.EECS.Berkeley.EDU (relay.EECS.Berkeley.EDU [169.229.34.228]) by hub.freebsd.org (Postfix) with ESMTP id E9ED037B422 for ; Thu, 10 May 2001 09:37:25 -0700 (PDT) (envelope-from mandric@EECS.Berkeley.EDU) Received: from EECS.Berkeley.EDU (mandric@argus.EECS.Berkeley.EDU [169.229.60.79]) by relay.EECS.Berkeley.EDU (8.9.3/8.9.3) with ESMTP id JAA06641; Thu, 10 May 2001 09:37:25 -0700 (PDT) Received: from localhost (mandric@localhost) by EECS.Berkeley.EDU (8.9.3/8.9.3) with ESMTP id JAA23116; Thu, 10 May 2001 09:37:22 -0700 (PDT) X-Authentication-Warning: argus.EECS.Berkeley.EDU: mandric owned process doing -bs Date: Thu, 10 May 2001 09:37:22 -0700 (PDT) From: Milan Andric To: David Wolfskill Cc: Subject: Re: nfs and ipfw In-Reply-To: <200105101616.f4AGG2u97467@pau-amma.whistle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 10 May 2001, David Wolfskill wrote: > >Date: Thu, 10 May 2001 09:10:34 -0700 (PDT) > >From: Milan Andric > > >Can't you just allow udp from you nfs server ip? > >in rc.firewall: > > >${fwcmd} add pass udp from ${ip} to NFS-SERVER > >${fwcmd} add pass udp from NFS-SERVER to ${ip} > > >Milan > > >On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote: > > >> Not only difficult but leaves large enough holes in your firewall to > >> drive a Mack truck though it. > > Yup; that would qualify as "large enough holes in your firewall to drive > a Mack truck though it". At least. (Was it your intent to provide an > example of what Cy wrote...?) > > Actually, if you want all UDP to flow unhindered, why bother with a > "firewall"??!? to limit it by ip, and wouldn't a reverse lookup keep people from spoofing? vpn is not currently an option here, so how else does one deal with nfs? Isn't it the most common way to share in unix environments? So it's probably a common problem. How do we deal with it sanely? If the answer is "don't use it." i'll accept that.. but it's not very helpful to those that are hooked. > (OK; there could be some reasons -- like just tracking > usage, to using dummynet facilities... but calling the result a > "firewall" isn't very useful.) > > Cheers, > david > -- > David Wolfskill dhw@whistle.com UNIX System Administrator > Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message