From owner-freebsd-questions@FreeBSD.ORG Thu Jan 11 21:58:50 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5842416A403 for ; Thu, 11 Jan 2007 21:58:50 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED8913C44B for ; Thu, 11 Jan 2007 21:58:50 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay7.apple.com (relay7.apple.com [17.128.113.37]) by mail-out3.apple.com (8.13.8/8.13.8) with ESMTP id l0BLwmDG019765; Thu, 11 Jan 2007 13:58:48 -0800 (PST) Received: from relay7.apple.com (unknown [127.0.0.1]) by relay7.apple.com (Symantec Mail Security) with ESMTP id 0C7CB30048; Thu, 11 Jan 2007 13:58:48 -0800 (PST) X-AuditID: 11807125-a3250bb000006e4c-e5-45a6b3170f62 Received: from [17.214.13.96] (unknown [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay7.apple.com (Apple SCV relay) with ESMTP id E8D5D30012; Thu, 11 Jan 2007 13:58:47 -0800 (PST) In-Reply-To: <45A6B138.7000409@u.washington.edu> References: <45A688C0.2020506@u.washington.edu> <45A6A3EF.5030101@u.washington.edu> <1BB74CBD-0BEA-43C7-8635-01AFB790A5AA@mac.com> <45A6B138.7000409@u.washington.edu> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Thu, 11 Jan 2007 13:58:47 -0800 To: Garrett Cooper X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-questions@freebsd.org Subject: Re: Firewalls and RPC (was "Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)") X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 21:58:50 -0000 On Jan 11, 2007, at 1:50 PM, Garrett Cooper wrote: >> Actually, no. While rpcbind/portmap/portmapper is assigned to 111/ >> tcp & >> udp, most other RPC services get assigned high port numbers in the >> 327xx >> range, but that varies considerably from platform to platform. > > True. NFS is port 2049 by default, anyhow.. Good example, yet this is true on some platforms but not on others. >> A firewall system should not be running any kind of filesharing; >> while >> you can run PF, IPFW, etc on your fileserver, that ought to be a >> secondary line of protection for "defense in depth", and your >> Internet >> connection ought to have a dual-homed or multihomed firewall machine >> which is dedicated to that role and which runs zero services. > > Right. However, I don't trust the rest of the clients on my subnet > other > than the ones I maintain, so that's why I have setup the firewall > rules > I have. You really don't want to mix machines which are trusted with machines which are not trusted on the same subnet. If you can't control which client machines get which IPs, you pretty much cannot use firewall rules to restrict filesharing only to the legit clients. > Sorry for not more clearly defining the situation earlier, but here's > the reasoning / rationale for what I'm doing.. > > > > - -I live in a house with a shared LAN with a total of around 50 hosts > connected / disconnected at various times of the day. > > - -I don't trust any of the Windows clients devoid a small handful > because > I have had a variety of connectivity problems caused by improperly > managed personal machines, virii, and spyware on machines here. > > - -There isn't a real means of properly controlling IP distribution > and > people are free to change their IP addresses to whatever they choose > (host information is set statically, not dynamically). > > - -I have 5 machines which have access to the network--2 serving > machines > and 3 clients which aren't always attached to the network. I have set > the IP addresses up so they all lie in a range, but I don't trust > whether someone will IP squat my address and do whatever they want > to my > serving machines (whether they mean to or it happens by accident). > > - -Some of the machines on the network have access to the machine > serving > via Samba, but that's a limited number. Perhaps you should consider setting up your own private subnet for your machines, and having a firewall guarding access to your machines which performs static NAT for the set of five IP addresses you've made claim to. -- -Chuck