From owner-freebsd-stable  Thu May 10  9:10:46 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from relay.EECS.Berkeley.EDU (relay.EECS.Berkeley.EDU [169.229.34.228])
	by hub.freebsd.org (Postfix) with ESMTP id DC76637B424
	for <freebsd-stable@FreeBSD.ORG>; Thu, 10 May 2001 09:10:42 -0700 (PDT)
	(envelope-from mandric@EECS.Berkeley.EDU)
Received: from EECS.Berkeley.EDU (mandric@argus.EECS.Berkeley.EDU [169.229.60.79])
	by relay.EECS.Berkeley.EDU (8.9.3/8.9.3) with ESMTP id JAA05901;
	Thu, 10 May 2001 09:10:37 -0700 (PDT)
Received: from localhost (mandric@localhost)
	by EECS.Berkeley.EDU (8.9.3/8.9.3) with ESMTP id JAA23081;
	Thu, 10 May 2001 09:10:34 -0700 (PDT)
X-Authentication-Warning: argus.EECS.Berkeley.EDU: mandric owned process doing -bs
Date: Thu, 10 May 2001 09:10:34 -0700 (PDT)
From: Milan Andric <mandric@EECS.Berkeley.EDU>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc: Alfred Perlstein <bright@wintelcom.net>, Sam <free@freep.org>,
	Freebsd-Stable <freebsd-stable@FreeBSD.ORG>
Subject: Re: nfs and ipfw 
In-Reply-To: <200105101355.f4ADt4r07717@cwsys.cwsent.com>
Message-ID: <Pine.SOL.4.30.0105100906590.22139-100000@argus.EECS.Berkeley.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Can't you just allow udp from you nfs server ip?
in rc.firewall:

${fwcmd} add pass udp from ${ip} to NFS-SERVER
${fwcmd} add pass udp from NFS-SERVER to ${ip}

Milan

On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote:

> In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein
> writes:
> > * Sam <free@freep.org> [010509 17:32] wrote:
> > > does anyone know what rules one needs to get nfs through ipfw?
> > >
> > > thank you so much, Sam
> >
> > Please do a web search, the way RPC services are done it's a difficult
> > task to acomplish.
>
> Not only difficult but leaves large enough holes in your firewall to
> drive a Mack truck though it.
>
> Even if you could mitigate the holes in your firewall, the NFS protocol
> is extremely insecure which can lead to total compromise of your site.
> If both sites are trusted, e.g. managed by you personally, you could
> set up a VPN tunnel between both sites and route your NFS traffic
> through it.  Having said that, I personally don't even allow NFS
> traffic through my VPN tunnels, as I try to keep sites as separate as
> possible reducing the risk of total compromise, should one of the sites
> be compromised, by containing any damage to only one site and if I can
> to one machine.
>
>
> Regards,                         Phone:  (250)387-8437
> Cy Schubert                        Fax:  (250)387-5766
> Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message