Blocking network file sharing

To: Debian-firewall <debian-firewall@lists.debian.org>
Subject: Blocking network file sharing
From: mdevin@ozemail.com.au
Date: Mon, 20 Aug 2001 11:02:08 +1000
Message-id: <[🔎] 20010820110207.A753@flea>
Mail-followup-to: Debian-firewall <debian-firewall@lists.debian.org>

In my firewall, I thought it would be important to make sure network
file sharing protocols are blocked from connecting outside the local
network through any mistake or otherwise.

Here are the rules I put into my iptables firewall:


#--------------- Block Network File Sharing Protocols -----------------#
# Block outgoing network filesharing protocols not designed to leave LAN
# These are OUTPUT chain rules to prevent us sharing with unknown hosts

# SMB / Windows filesharing
iptables -A OUTPUT -o $EXT_IF -p tcp --sport $SMB_PORTS -j log_nfs
iptables -A OUTPUT -o $EXT_IF -p udp --sport $SMB_PORTS -j log_nfs

# NFS filesharing, + others (NFS Mount, Portmapper) services
iptables -A OUTPUT -o $EXT_IF -m multiport -p tcp --sport \
	$NFS_PORT,$MOUNT_PORT,$PORTMAPPER_PORT -j log_nfs
iptables -A OUTPUT -o $EXT_IF -m multiport -p udp --sport \
        $NFS_PORT,$MOUNT_PORT,$PORTMAPPER_PORT -j log_nfs
#----------------------------------------------------------------------#

(Where NFS_PORT="2049", MOUNT_PORT="635", PORTMAPPER_PORT="111", and
SMB_PORTS="137:139")

However, occasionally I get my DNS servers being blocked by these rules
as it just so happens (? through random chance), that the request to the
servers is being sent out using port 2049.  Or occasionally it blocks
other things like access by ntpdate to the timeservers.

See these logs:

Jul 22 11:46:10 flea ntpdate[2201]: sendto(203.21.84.4): Operation not permitted
Jul 22 11:46:11 flea kernel: Outgoing_NFS_::IN= OUT=ppp0 SRC=210.84.184.89 DST=203.21.84.4 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=2049 DPT=123 LEN=56 
Jul 22 11:46:11 flea kernel: Outgoing_NFS_::IN= OUT=ppp0 SRC=210.84.184.89 DST=129.127.40.3 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=2049 DPT=123 LEN=56 
Jul 22 11:46:11 flea kernel: Outgoing_NFS_::IN= OUT=ppp0 SRC=210.84.184.89 DST=128.184.1.1 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=2049 DPT=123 LEN=56 

I have put in a rule above these rules to specifically allow traffic to
my DNS servers, but I don't want to have to do such for every other
application that may try to use port 2049.

What should I do about blocking NFS filesharing?  It uses an
unpriviliged port and thus the rules randomly interfere with other
applications that may try to use this port.  Is it important to have
such rules to block it getting over the internet?

Regards.
Mark.

Reply to:

Prev by Date: Re: Firewall
Next by Date: Re: Firewall
Previous by thread: Re: iptables igmp evil protocol!
Next by thread: connections through NAT are disconnected
Index(es):
- Date
- Thread