From owner-freebsd-questions@FreeBSD.ORG Thu Jan 11 21:50:50 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4793416A47E for ; Thu, 11 Jan 2007 21:50:50 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from mxout1.cac.washington.edu (mxout1.cac.washington.edu [140.142.32.134]) by mx1.freebsd.org (Postfix) with ESMTP id 2325613C458 for ; Thu, 11 Jan 2007 21:50:50 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from smtp.washington.edu (smtp.washington.edu [140.142.33.9] (may be forged)) by mxout1.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id l0BLonf5023890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 11 Jan 2007 13:50:49 -0800 X-Auth-Received: from [192.168.0.101] (dsl254-013-145.sea1.dsl.speakeasy.net [216.254.13.145]) (authenticated authid=youshi10) by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id l0BLomcb016071 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 11 Jan 2007 13:50:49 -0800 Message-ID: <45A6B138.7000409@u.washington.edu> Date: Thu, 11 Jan 2007 13:50:48 -0800 From: Garrett Cooper User-Agent: Thunderbird 1.5.0.9 (X11/20070109) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <45A688C0.2020506@u.washington.edu> <45A6A3EF.5030101@u.washington.edu> <1BB74CBD-0BEA-43C7-8635-01AFB790A5AA@mac.com> In-Reply-To: <1BB74CBD-0BEA-43C7-8635-01AFB790A5AA@mac.com> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-PMX-Version: 5.2.2.285561, Antispam-Engine: 2.5.0.283055, Antispam-Data: 2007.1.11.133932 X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __LINES_OF_YELLING 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0' Subject: Re: Firewalls and RPC (was "Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)") X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 21:50:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Swiger wrote: > > Actually, no. While rpcbind/portmap/portmapper is assigned to 111/tcp & > udp, most other RPC services get assigned high port numbers in the 327xx > range, but that varies considerably from platform to platform. True. NFS is port 2049 by default, anyhow.. > Somewhat, yes. Samba/CIFS filesharing can require less trust between > server and client as accessing a Samba share does not require superuser > permissions, just limited user access, but Samba does require root > access to start up and bind to the low ports it uses, and it also > involves the "network browse master" (which nmbd can do) and so forth > which involve subnet-oriented broadcast traffic. > > Samba/CIFS is a chatty protocol. No kidding. The funny thing is that smbclient (Xbox Media Center runs smbclient) I've learned requires more open ports than regular CIFS enabled Windows XP hosts to RPC services, which has caused more issues than it's worth in the past. > No, not really. What you probably want to focus on is protecting your > entire subnet, including the fileserver and clients, from malicious > traffic via your Internet link(s), and then worry about egress > filtering, dividing your machines into a trusted internal LAN and a > semi-trusted DMZ, and so forth. > > A firewall system should not be running any kind of filesharing; while > you can run PF, IPFW, etc on your fileserver, that ought to be a > secondary line of protection for "defense in depth", and your Internet > connection ought to have a dual-homed or multihomed firewall machine > which is dedicated to that role and which runs zero services. Right. However, I don't trust the rest of the clients on my subnet other than the ones I maintain, so that's why I have setup the firewall rules I have. Sorry for not more clearly defining the situation earlier, but here's the reasoning / rationale for what I'm doing.. - -I live in a house with a shared LAN with a total of around 50 hosts connected / disconnected at various times of the day. - -I don't trust any of the Windows clients devoid a small handful because I have had a variety of connectivity problems caused by improperly managed personal machines, virii, and spyware on machines here. - -There isn't a real means of properly controlling IP distribution and people are free to change their IP addresses to whatever they choose (host information is set statically, not dynamically). - -I have 5 machines which have access to the network--2 serving machines and 3 clients which aren't always attached to the network. I have set the IP addresses up so they all lie in a range, but I don't trust whether someone will IP squat my address and do whatever they want to my serving machines (whether they mean to or it happens by accident). - -Some of the machines on the network have access to the machine serving via Samba, but that's a limited number. - -Garrett -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFprE4EnKyINQw/HARAjwyAKCY9F8O2rkdet2/gxNNqCQXij0xgwCfSF3/ tswDC5ovt0A5r3Tg7s7BSqE= =iVhr -----END PGP SIGNATURE-----