Date: Thu, 10 May 2001 17:51:04 -0400 From: The Anarcat <anarcat@tao.ca> To: stable@freebsd.org Subject: Re: nfs and ipfw Message-ID: <20010510175104.A20106@dojo>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi.
I am suddenly becoming very interested in that thread. :)
My home setup is the following:
outside <----> router <----> hub <----> NFS server
The "firewall" is of course on the router.
The router often needs access to the read-only /usr/{src|obj|ports}
shares of the NFS server for obvious reasons.
I only allow "client" NFS connections out from the router, and only
originating from the router itself, of course.
Here are the 3 rules I used to allow the router to connect to the inside
nfs server:
${fwcmd} add pass udp from ${iip} to ${shall} 111 out xmit ${iif} keep-state
${fwcmd} add pass tcp from ${iip} to ${shall} 1000-1050 out xmit ${iif} setup
${fwcmd} add pass tcp from ${iip} to ${shall} 22,2049 out xmit ${iif} setup
111 is for portmap, 1000-1050,2049 is for nfsd.
I do have strange "Bad RPC" messages when umounting /usr/ports, but
apart from that, I have a working setup.
A.
Cy Schubert - ITSD Open Systems Group wrote:
>
> In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein
> writes:
> > * Sam <free@freep.org> [010509 17:32] wrote:
> > > does anyone know what rules one needs to get nfs through ipfw?
> > >
> > > thank you so much, Sam
> >
> > Please do a web search, the way RPC services are done it's a difficult
> > task to acomplish.
>
> Not only difficult but leaves large enough holes in your firewall to
> drive a Mack truck though it.
>
> Even if you could mitigate the holes in your firewall, the NFS protocol
> is extremely insecure which can lead to total compromise of your site.
> If both sites are trusted, e.g. managed by you personally, you could
> set up a VPN tunnel between both sites and route your NFS traffic
> through it. Having said that, I personally don't even allow NFS
> traffic through my VPN tunnels, as I try to keep sites as separate as
> possible reducing the risk of total compromise, should one of the sites
> be compromised, by containing any damage to only one site and if I can
> to one machine.
>
> Regards, Phone: (250)387-8437
> Cy Schubert Fax: (250)387-5766
> Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
--
La sémantique est la gravité de l'abstraction.
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjr7DUgACgkQ7uV99pHLOSJ49wCeIWYkxyjcUC11DMaLZVCOvz7k
7tsAnA7rXy4B+DQVxim7gxZnJvupBFEj
=+UFQ
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010510175104.A20106>