From owner-freebsd-questions Fri Oct 11 15:48:52 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77DE437B401 for ; Fri, 11 Oct 2002 15:48:50 -0700 (PDT) Received: from fep4.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id E58F543E75 for ; Fri, 11 Oct 2002 15:48:49 -0700 (PDT) (envelope-from dlavigne6@cogeco.ca) Received: from d226-42-146.home.cgocable.net (d226-42-146.home.cgocable.net [24.226.42.146]) by fep4.cogeco.net (Postfix) with ESMTP id B416F67E2; Fri, 11 Oct 2002 18:48:48 -0400 (EDT) Date: Fri, 11 Oct 2002 18:49:58 -0400 (EDT) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: Mark Cc: "DaleCo, S.P.---'the solutions people'" , Subject: Re: NFS rules for ipfw In-Reply-To: <20021011205606.DD65443E88@mx1.FreeBSD.org> Message-ID: <20021011182231.I1552-100000@dhcp-17-14.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 11 Oct 2002, Mark wrote: > > It's been remarkably non trivial to find out what ports NFS is using. A > search through a few NFS and TCP programming books here have yielded little, > as has google. > > However, I did do a tcpdump on the failed connect, and there was activity on > the sunrpc port, and then 713, 714, and 1023 (all UDP). > > I'll fiddle with more ipfw rules and see what i can't come up with. My > relative beginner's status with firewalls becomes apparent rapidly .... Hi Mark, You didn't say what information you found, but I assume you discovered that portmapper uses port 111 and NFS uses port 2049. Are you _absolutely_, positively sure that you _really_ really, really want to do this? That there is absolutely no other way to share that data between network segments? What you're asking is the sort of question that stops a security admin dead in his tracks as he turns pale, his eyes go buggy, he gasps for breath, and clutches his heart in terror... Let's see here. You need to: - open up RPC (see www.sans.org/top20 if you don't know why RPC is a bad thing yet). This requires port 111 to receive the port-mapping request. Then ports 1024 to 65535 (both TCP and UDP!) need to be left open so portmapper can do its thing. Might as well throw your firewall away. - use "mountd", "lockd", and "statd" which are all RPC based. They are interesting terms to look up at search.cert.org Now, having said all that, you can reduce your risk by making sure the FreeBSD box is fully up-to-date and patched, use stateful rules and be picky on source and destination. However, this is only decreasing the risk of a very huge security risk. Both NFS and RPC were designed to stay on one LAN segment; they're an accident waiting to happen when you start punching holes in order to share information across LAN segments. You really should have a very compelling reason before you consider taking that risk. HTH, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message