Date: Thu, 10 May 2001 12:41:08 -0400 From: Jason Andresen <jandrese@mitre.org> To: David Wolfskill <dhw@whistle.com> Cc: mandric@eecs.berkeley.edu, freebsd-stable@freebsd.org Subject: Re: nfs and ipfw Message-ID: <3AFAC4A4.9EAD5D4E@mitre.org> References: <200105101616.f4AGG2u97467@pau-amma.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David Wolfskill wrote:
>
> >Date: Thu, 10 May 2001 09:10:34 -0700 (PDT)
> >From: Milan Andric <mandric@EECS.Berkeley.EDU>
>
> >Can't you just allow udp from you nfs server ip?
> >in rc.firewall:
>
> >${fwcmd} add pass udp from ${ip} to NFS-SERVER
> >${fwcmd} add pass udp from NFS-SERVER to ${ip}
>
> >Milan
>
> >On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote:
>
> >> Not only difficult but leaves large enough holes in your firewall to
> >> drive a Mack truck though it.
>
> Yup; that would qualify as "large enough holes in your firewall to drive
> a Mack truck though it". At least. (Was it your intent to provide an
> example of what Cy wrote...?)
>
> Actually, if you want all UDP to flow unhindered, why bother with a
> "firewall"??!? (OK; there could be some reasons -- like just tracking
> usage, to using dummynet facilities... but calling the result a
> "firewall" isn't very useful.)
Couldn't you specify something like:
No UDP traffic allowed in on the external interface,
<the two rules above>
Rest of firewall rules.
You may not even have to be that severe, shouln't the anti-spoof
provisions work fine as long as your NFS-SERVER is behind the
firewall (which I have to assume it is, as NFS over the internet
is not only dog slow, but completely and utterly exploitable.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AFAC4A4.9EAD5D4E>