From owner-freebsd-stable Thu May 10 14:51: 9 2001 Delivered-To: freebsd-stable@freebsd.org Received: from dojo.tao.ca (tao.ca [198.96.117.188]) by hub.freebsd.org (Postfix) with ESMTP id D782837B422 for ; Thu, 10 May 2001 14:51:05 -0700 (PDT) (envelope-from anarcat@tao.ca) Received: by dojo.tao.ca (Postfix, from userid 1823) id 0E2EC4EB5; Thu, 10 May 2001 17:51:05 -0400 (EDT) Date: Thu, 10 May 2001 17:51:04 -0400 From: The Anarcat To: stable@freebsd.org Subject: Re: nfs and ipfw Message-ID: <20010510175104.A20106@dojo> Reply-To: anarcat@tao.ca Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LZvS9be/3tNcYl/X" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I am suddenly becoming very interested in that thread. :) My home setup is the following: outside <----> router <----> hub <----> NFS server The "firewall" is of course on the router. The router often needs access to the read-only /usr/{src|obj|ports} shares of the NFS server for obvious reasons.=20 I only allow "client" NFS connections out from the router, and only originating from the router itself, of course.=20 Here are the 3 rules I used to allow the router to connect to the inside nfs server:=20 ${fwcmd} add pass udp from ${iip} to ${shall} 111 out xmit ${iif} keep-state ${fwcmd} add pass tcp from ${iip} to ${shall} 1000-1050 out xmit ${iif} set= up ${fwcmd} add pass tcp from ${iip} to ${shall} 22,2049 out xmit ${iif} setup 111 is for portmap, 1000-1050,2049 is for nfsd.=20 I do have strange "Bad RPC" messages when umounting /usr/ports, but apart from that, I have a working setup.=20 A. Cy Schubert - ITSD Open Systems Group wrote: >=20 > In message <20010509174513.D18676@fw.wintelcom.net>, Alfred Perlstein > writes: > > * Sam [010509 17:32] wrote: > > > does anyone know what rules one needs to get nfs through ipfw? > > > > > > thank you so much, Sam > > > > Please do a web search, the way RPC services are done it's a difficult > > task to acomplish. >=20 > Not only difficult but leaves large enough holes in your firewall to > drive a Mack truck though it. >=20 > Even if you could mitigate the holes in your firewall, the NFS protocol > is extremely insecure which can lead to total compromise of your site. > If both sites are trusted, e.g. managed by you personally, you could > set up a VPN tunnel between both sites and route your NFS traffic > through it. Having said that, I personally don't even allow NFS > traffic through my VPN tunnels, as I try to keep sites as separate as > possible reducing the risk of total compromise, should one of the sites > be compromised, by containing any damage to only one site and if I can > to one machine. >=20 > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- La s=E9mantique est la gravit=E9 de l'abstraction. --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjr7DUgACgkQ7uV99pHLOSJ49wCeIWYkxyjcUC11DMaLZVCOvz7k 7tsAnA7rXy4B+DQVxim7gxZnJvupBFEj =+UFQ -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message