Re: Firewalls and RPC (was "Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)")

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck Swiger wrote:

Actually, no. While rpcbind/portmap/portmapper is assigned to 111/tcp &
udp, most other RPC services get assigned high port numbers in the 327xx
range, but that varies considerably from platform to platform.

True. NFS is port 2049 by default, anyhow..

Somewhat, yes. Samba/CIFS filesharing can require less trust between
server and client as accessing a Samba share does not require superuser
permissions, just limited user access, but Samba does require root
access to start up and bind to the low ports it uses, and it also
involves the "network browse master" (which nmbd can do) and so forth
which involve subnet-oriented broadcast traffic.

Samba/CIFS is a chatty protocol.

No kidding. The funny thing is that smbclient (Xbox Media Center runs
smbclient) I've learned requires more open ports than regular CIFS
enabled Windows XP hosts to RPC services, which has caused more issues
than it's worth in the past.

No, not really. What you probably want to focus on is protecting your
entire subnet, including the fileserver and clients, from malicious
traffic via your Internet link(s), and then worry about egress
filtering, dividing your machines into a trusted internal LAN and a
semi-trusted DMZ, and so forth.

A firewall system should not be running any kind of filesharing; while
you can run PF, IPFW, etc on your fileserver, that ought to be a
secondary line of protection for "defense in depth", and your Internet
connection ought to have a dual-homed or multihomed firewall machine
which is dedicated to that role and which runs zero services.

Right. However, I don't trust the rest of the clients on my subnet other
than the ones I maintain, so that's why I have setup the firewall rules
I have.

Sorry for not more clearly defining the situation earlier, but here's
the reasoning / rationale for what I'm doing..


<IT nightmare>

- -I live in a house with a shared LAN with a total of around 50 hosts
connected / disconnected at various times of the day.

- -I don't trust any of the Windows clients devoid a small handful because
I have had a variety of connectivity problems caused by improperly
managed personal machines, virii, and spyware on machines here.

- -There isn't a real means of properly controlling IP distribution and
people are free to change their IP addresses to whatever they choose
(host information is set statically, not dynamically).

- -I have 5 machines which have access to the network--2 serving machines
and 3 clients which aren't always attached to the network. I have set
the IP addresses up so they all lie in a range, but I don't trust
whether someone will IP squat my address and do whatever they want to my
serving machines (whether they mean to or it happens by accident).

- -Some of the machines on the network have access to the machine serving
via Samba, but that's a limited number.

</IT nightmare>

- -Garrett
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFprE4EnKyINQw/HARAjwyAKCY9F8O2rkdet2/gxNNqCQXij0xgwCfSF3/
tswDC5ovt0A5r3Tg7s7BSqE=
=iVhr
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: TCP 3389 and Remote Desktop
    ... conflict using a Linksys wireless router for a peer to peer network ... provided instructions for changing the remote port using RegEdit, ... firewall you utilize on said computer *and* have Remote Desktop turned on ... One method of accessing several machines behind a single router is to change ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ... I have about 20 of these SBS machines at other locations and have ...
    (microsoft.public.windows.server.sbs)
  • Re: Babysitting on iptables requested :-)
    ... for acceptance? ... > that is destined to port range 137-139, tcp as well as udp, incoming ... > between Windows machines, so without this a Windows machine in your ... MS packets from my LAN to the gateway ...
    (comp.os.linux.security)
  • Re: Event ID 6161 for HP 6840
    ... patch related to an exposure via the print spooler service. ... download which offers the option of a local port. ... >> There were no problems with the install and the printer works find so long ... >> 3) All machines on the network can connect to the printer via Internet ...
    (microsoft.public.windowsxp.print_fax)
  • Re: "Do not have access to logon to this session"
    ... different machines and ended up with the same results. ... EventLog on these clients? ... Windows XP, Windows 2000, and Windows NT ... home to Remote Desktop on their Windows XP Pro SP2 machines here ...
    (microsoft.public.windows.terminal_services)
Loading