Date: Mon, 18 Mar 2002 15:30:29 +0100 (CET) From: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> To: freebsd-questions@freebsd.org Subject: NIS/YP, NFS and PORTMAPPER over BRIDGED FIREWALL, please help Message-ID: <20020318150752.H12650-100000@klima.physik.uni-mainz.de>
next in thread | raw e-mail | index | archive | help
Hello.
I have to deal with a complicated scnenario of bad network architecture,
but since I can not redesign the network, I have to deal with what's given.
Our institute lives within a shared numeric domain and our pool of IPs is shared
with two other departments, but each of these departments have 'unique' aliases.
Our department has a server farm, located in a special room and I want to 'secure'
this room and for that I built up a bridge with PicoBSD that should do a firewalling
work. So far. The PicoBSD works well, it is already set up. But it run into trouble
setting up dedicated rules for each hosts. I want to scetch my ideas:
There are five main servers behind the bridge, so at the beginning of the filter
rule table I do this for each host behind the bridge:
$fwcmd add 190 skipto 1000 ip from any to $host1
$fwcmd add 200 skipto 1000 ip from $host1 to any
Intention is to have for each host a dedicated 'block' of rulesets.
Then I define a block of rulesets for this special host and initialy I try
to allow all traffic to and from the 'inner' servers by doing this:
$fwcmd add 1010 allow ip from $host1 to $host2
$fwcmd add 1020 allow ip from $host2 to $host1
$fwcmd add 1030 allow ip from $host1 to $host3
$fwcmd add 1040 allow ip from $host3 to $host1
.
.
.
and I do this for each host to ensure, that traffic can pass.
Well, this maybe seems foolish, but I have no other idea to work
around the problem we have with the chaos of the given network.
At this moment I test the bridge with only one host behind the
firewall and it is a NIS/YP client, the NIS/YP servers are 'outbound',
but that should not care.
The problem occuring is, that NFS works fine, but ssh, telnet and other
services, which seem to 'authenticate' a incoming user via NIS/YP fail!
I opened port 111 for portmap, both TCP and UDP, but nothing happened.
I read the manuals of portmap and I understand the way it works this
way: a client 'asks' for a service and get response from portmap giving
service number and the port number the wanted service/server is listen on. Then the
client tries again on this port. But only NFS has a fix port (2049), all other
services a nonpredicteable in theory, or is this wrong? Sorry, I'm a
network novice this way and before studying to much literature I would like to
ask the net ...
If this is true (I mean how portmap works) it seems to be impossible to 'allow'
dedicated ports to receive traffic.
This 'theory' gets more likely as I receive messages of the host on the console
(that behind the bridge) it is missing its NIS/YP domain (domain not responding).
Opening the bridge by this
$fwcmd add allow ip from $net:$mask to $net:$mask
'solves' the problem, but in our situation here it means: the bridge is open
for everything, so I could deinstall it and the result would be the same ...
--
MfG
O. Hartmann
ohartman@klima.physik.uni-mainz.de
------------------------------------------------------------------
IT-Administration des Institutes fuer Physik der Atmosphaere (IPA)
------------------------------------------------------------------
Johannes Gutenberg Universitaet Mainz
Becherweg 21
55099 Mainz
Tel: +496131/3924662 (Maschinenraum)
Tel: +496131/3924144 (Buero)
FAX: +496131/3923532
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020318150752.H12650-100000>