Date: Thu, 10 May 2001 09:10:34 -0700 (PDT) From: Milan Andric <mandric@EECS.Berkeley.EDU> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: Alfred Perlstein <bright@wintelcom.net>, Sam <free@freep.org>, Freebsd-Stable <freebsd-stable@FreeBSD.ORG> Subject: Re: nfs and ipfw Message-ID: <Pine.SOL.4.30.0105100906590.22139-100000@argus.EECS.Berkeley.EDU> In-Reply-To: <200105101355.f4ADt4r07717@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Can't you just allow udp from you nfs server ip? in rc.firewall: ${fwcmd} add pass udp from ${ip} to NFS-SERVER ${fwcmd} add pass udp from NFS-SERVER to ${ip} Milan On Thu, 10 May 2001, Cy Schubert - ITSD Open Systems Group wrote: > In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein > writes: > > * Sam <free@freep.org> [010509 17:32] wrote: > > > does anyone know what rules one needs to get nfs through ipfw? > > > > > > thank you so much, Sam > > > > Please do a web search, the way RPC services are done it's a difficult > > task to acomplish. > > Not only difficult but leaves large enough holes in your firewall to > drive a Mack truck though it. > > Even if you could mitigate the holes in your firewall, the NFS protocol > is extremely insecure which can lead to total compromise of your site. > If both sites are trusted, e.g. managed by you personally, you could > set up a VPN tunnel between both sites and route your NFS traffic > through it. Having said that, I personally don't even allow NFS > traffic through my VPN tunnels, as I try to keep sites as separate as > possible reducing the risk of total compromise, should one of the sites > be compromised, by containing any damage to only one site and if I can > to one machine. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.30.0105100906590.22139-100000>