From owner-freebsd-stable Thu May 10 9:42: 9 2001 Delivered-To: freebsd-stable@freebsd.org Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100]) by hub.freebsd.org (Postfix) with ESMTP id DDF8D37B423 for ; Thu, 10 May 2001 09:42:01 -0700 (PDT) (envelope-from jandrese@mitre.org) Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58]) by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA20686; Thu, 10 May 2001 12:41:09 -0400 (EDT) Received: from MAILHUB1 (mailhub1.mitre.org [129.83.20.31]) by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA10891; Thu, 10 May 2001 12:41:08 -0400 (EDT) Received: from dhcp-105-164.mitre.org (128.29.105.164) by mailhub1.mitre.org with SMTP id 6447730; Thu, 10 May 2001 12:40:33 -0400 Message-ID: <3AFAC4A4.9EAD5D4E@mitre.org> Date: Thu, 10 May 2001 12:41:08 -0400 From: Jason Andresen Organization: The MITRE Corporation X-Mailer: Mozilla 4.75 [en]C-20000818M (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: David Wolfskill Cc: mandric@eecs.berkeley.edu, freebsd-stable@freebsd.org Subject: Re: nfs and ipfw References: <200105101616.f4AGG2u97467@pau-amma.whistle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG David Wolfskill wrote: > > >Date: Thu, 10 May 2001 09:10:34 -0700 (PDT) > >From: Milan Andric > > >Can't you just allow udp from you nfs server ip? > >in rc.firewall: > > >${fwcmd} add pass udp from ${ip} to NFS-SERVER > >${fwcmd} add pass udp from NFS-SERVER to ${ip} > > >Milan > > >On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote: > > >> Not only difficult but leaves large enough holes in your firewall to > >> drive a Mack truck though it. > > Yup; that would qualify as "large enough holes in your firewall to drive > a Mack truck though it". At least. (Was it your intent to provide an > example of what Cy wrote...?) > > Actually, if you want all UDP to flow unhindered, why bother with a > "firewall"??!? (OK; there could be some reasons -- like just tracking > usage, to using dummynet facilities... but calling the result a > "firewall" isn't very useful.) Couldn't you specify something like: No UDP traffic allowed in on the external interface, Rest of firewall rules. You may not even have to be that severe, shouln't the anti-spoof provisions work fine as long as your NFS-SERVER is behind the firewall (which I have to assume it is, as NFS over the internet is not only dog slow, but completely and utterly exploitable. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message