Date: Tue, 29 Nov 2005 22:33:41 -0500 From: Chuck Swiger <cswiger@mac.com> To: "Aaron P. Martinez" <ml@proficuous.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf blocking nfs Message-ID: <438D1D95.7010503@mac.com> In-Reply-To: <63871.192.168.3.69.1133320948.squirrel@webmail.proficuous.com> References: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> <438D1894.90500@mac.com> <63871.192.168.3.69.1133320948.squirrel@webmail.proficuous.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Aaron P. Martinez wrote: [ ... ] > Actually my network looks like this: > > INT---firewall------internal router/firewall---------good lan > | | > | |---------insecure lan (windoze machines) > | > |----DMZ > > the good lan is the only one that does nfs, so the nfs doesn't actually > pass through the firewall, just connects to the internal router/firewall. > I am simply trying to avoid a worst case scenario (internal router gets > compromised) so trying to allow ONLY return packets. Is this unfeasable? I take it that your internal firewall box has three NICs, then? Normally, your firewall should not be doing anything else but security and would not be mounting NFS or depending on any other services on your network. If that is not possible, you should permit traffic through the interface on the "good LAN". -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?438D1D95.7010503>