From owner-freebsd-security Tue May 2 06:10:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id GAA04298 for security-outgoing; Tue, 2 May 1995 06:10:37 -0700 Received: from phoenix.csc.calpoly.edu (phoenix.csc.calpoly.edu [129.65.17.14]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA04290 for ; Tue, 2 May 1995 06:10:34 -0700 Received: from statler.CalPoly.Edu (statler.csc.calpoly.edu [129.65.17.8]) by phoenix.csc.calpoly.edu (8.6.11) with SMTP id GAA02195; Tue, 2 May 1995 06:10:30 -0700 Received: by statler.CalPoly.Edu (5.x/SMI-SVR4) id AA02722; Tue, 2 May 1995 06:10:28 -0700 From: nlawson@statler.csc.calpoly.edu (Nathan Lawson) Message-Id: <9505021310.AA02722@statler.CalPoly.Edu> Subject: Re: Security options for NFS? To: bmk@dtr.com (Brant Katkansky) Date: Tue, 2 May 1995 06:10:27 -0700 (PDT) Cc: security@FreeBSD.org In-Reply-To: <199505021046.DAA00960@dtr.com> from "Brant Katkansky" at May 2, 95 03:46:49 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: security-owner@FreeBSD.org Precedence: bulk > I'm looking to secure NFS and other services not covered by tcpd - > what's the conventional wisdom for FreeBSD 2.0? Good question. I recommend compiling with the "IPFIREWALL" and "IPFIREWALL_VERBOSE" options. Then you can deny packets to those services with the ipfw(8) utility. Also, if you don't have the full ability to firewall, then you can use the SecureLib library. It compiles with very minor tweaking. I am considering sending it in to the ports people or whoever if anyone wants it. For NFS, block tcp and udp ports 111, and udp port 2049. Good luck, -- Nathan Lawson \ Never let your schooling interfere with your education. CSL 490/News Admin \ (805)756-7180 @Work \ "The steady state of disks is full." -- Ken Thompson ---------------------