Re: pf blocking nfs

• Previous message: Chuck Swiger: "Re: pf blocking nfs"
• In reply to: Chuck Swiger: "Re: pf blocking nfs"
• Next in thread: Chuck Swiger: "Re: pf blocking nfs"
• Reply: Chuck Swiger: "Re: pf blocking nfs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 29 Nov 2005 21:22:28 -0600 (CST)
To: "Chuck Swiger" <cswiger@mac.com>

> Aaron P. Martinez wrote:
>> I am running FreeBSD 6.0-release and setting up a very basic firewall
>> using pf on my workstation. The ruleset is as follows:
>>
>> block in log all
>> pass quick on lo0 all
>> #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
>> pass out on fxp0 proto { tcp, udp, icmp } all keep state
>
> Your firewall config is not enough to permit NFS to pass. You might
> consider adding a "pass all" rule for machines on the local subnet.
>
> [ Perhaps you should re-evaluate your network so that you do not attempt
> to pass NFS through the firewall. If you have to do filesharing between
> machines over an untrusted connection, should should consider a VPN or
> SSH tunnel approach instead. ]
>
> --
> -Chuck

Actually my network looks like this:

INT---firewall------internal router/firewall---------good lan
        | |
        | |---------insecure lan (windoze machines)
        |
        |----DMZ

the good lan is the only one that does nfs, so the nfs doesn't actually
pass through the firewall, just connects to the internal router/firewall.
I am simply trying to avoid a worst case scenario (internal router gets
compromised) so trying to allow ONLY return packets. Is this unfeasable?
Can you suggest a rule instead of:
pass out on fxp0 proto { tcp, udp, icmp } all keep state

or in addition to that would still keep me very secure and at the same
time allow me to use nfs as i'm trying?

thanks for the quick reply,

Aaron Martinez
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Chuck Swiger: "Re: pf blocking nfs"
• In reply to: Chuck Swiger: "Re: pf blocking nfs"
• Next in thread: Chuck Swiger: "Re: pf blocking nfs"
• Reply: Chuck Swiger: "Re: pf blocking nfs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Linux Home Server HOWTO - Open For Review ... In the SSH section - I highly recommend disabling protocol 1, ... Creating and using an nfs exported installation image for installs. ... So iptables rules can be designed accordingly. ... By the way I believe in a stateful firewall the inquiries initiated by ... (Fedora) Re: Export NFS through firewall ... I use the administrator menu firewall and SELINUX and checked off the ... NFS item. ... server firewall to allow clients to talk to nfs and portmap, ... ports, which the firewall couldn't care less about. ... (Fedora) Re: Firewalling NFS ... If anyone is interested i've got nfs going with a pf firewall on 6.2. ... I use a block by default policy and the client is a linux client, running it's iptables firewall, but it does work. ... pass in quick on $ext_if inet proto tcp from to $ext_if port 2049 flags S/SA keep state ... (freebsd-net) Re: nfs mount fails - permissin denied ... peter pilsl wrote: ... > The logs are not very detailed on this problem. ... > ports for nfs. ... Try to deactivate your firewall (disconnect from ... (comp.protocols.nfs) Re: nfs mount not mounting on boot ... default init was changed from 5 to 3 vi /etc/inittab, and netfs indeed ... but still doesn't mount:) Running S25netfs by hand ... You have all what's needed for a proper nfs client turned on, ... You know that you turned off the "firewall" on the machine? ... (alt.os.linux)