[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and NFS

Ghe Rivero <ghe@upsa.es> writes:

> we are going to use netfilter for our main firewall at University and
> a couples of dudes come to my mind now:
> 1.- Since we have severals machines (around 50)  and all king of
>     services, which is the best way to have everything more or less
>     order?

Use something higher level that raw iptables.  I would suggest
'firehol', which is packaged in Debian, but 'shorewall' is also a good

Firehol is a script based language for iptables firewall definition,
while shorewall is a declarative language.  Your preferences are
probably the biggest deciding factor between them.

Either of those will produce a higher quality firewall, more quickly,
than writing the rules by hand will, in most cases.[1]

> 2.- NFS use dinamic ports on conenctions with the clients. Howis it
>     supposed to be firewaled (The same can be for some Windows
>     isssues)

As others have noted, NFS is really not really designed to pass through
firewalls, and may pose significant security risk if, as I guess, by
"main firewall" you mean one between you and the Internet.

'firehol' solves the problem of securely protecting RPC services such as
NFS by performing a query on the NFS server at start time, which allows
it to determine the ports used by NFS, and then allowing access only to
those ports.

This has the bonus of exposing as little as possible - only the ports
used by NFS are available - at the cost of needing to regenerate the
firewall rules when the NFS server restarts.[2]

Alternately, as others have suggested, fix the NFS server to specific
ports and firewall those explicitly.


[1]  This is my conclusion after inspecting a wide range of firewalls,
     including hand build firewalls.  The scripts don't slip up nearly
     as often as people do, and they sure don't get bored with writing
     thousands of lines of highly detailed and secure rules.

[2]  Alternately, find a solution where your NFS server binds to a fixed
     port or simply re-uses the previous RPC port, and you don't
     actually need to restart the firewall.

Reply to: