Date: Thu, 10 May 2001 09:37:22 -0700 (PDT) From: Milan Andric <mandric@EECS.Berkeley.EDU> To: David Wolfskill <dhw@whistle.com> Cc: <freebsd-stable@FreeBSD.ORG> Subject: Re: nfs and ipfw Message-ID: <Pine.SOL.4.30.0105100922130.22139-100000@argus.EECS.Berkeley.EDU> In-Reply-To: <200105101616.f4AGG2u97467@pau-amma.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 May 2001, David Wolfskill wrote: > >Date: Thu, 10 May 2001 09:10:34 -0700 (PDT) > >From: Milan Andric <mandric@EECS.Berkeley.EDU> > > >Can't you just allow udp from you nfs server ip? > >in rc.firewall: > > >${fwcmd} add pass udp from ${ip} to NFS-SERVER > >${fwcmd} add pass udp from NFS-SERVER to ${ip} > > >Milan > > >On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote: > > >> Not only difficult but leaves large enough holes in your firewall to > >> drive a Mack truck though it. > > Yup; that would qualify as "large enough holes in your firewall to drive > a Mack truck though it". At least. (Was it your intent to provide an > example of what Cy wrote...?) > > Actually, if you want all UDP to flow unhindered, why bother with a > "firewall"??!? <newbie> to limit it by ip, and wouldn't a reverse lookup keep people from spoofing? </newbie> vpn is not currently an option here, so how else does one deal with nfs? Isn't it the most common way to share in unix environments? So it's probably a common problem. How do we deal with it sanely? If the answer is "don't use it." i'll accept that.. but it's not very helpful to those that are hooked. > (OK; there could be some reasons -- like just tracking > usage, to using dummynet facilities... but calling the result a > "firewall" isn't very useful.) > > Cheers, > david > -- > David Wolfskill dhw@whistle.com UNIX System Administrator > Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.30.0105100922130.22139-100000>