Re: iptables and NFS
Ghe Rivero <firstname.lastname@example.org> writes:
> we are going to use netfilter for our main firewall at University and
> a couples of dudes come to my mind now:
> 1.- Since we have severals machines (around 50) and all king of
> services, which is the best way to have everything more or less
Use something higher level that raw iptables. I would suggest
'firehol', which is packaged in Debian, but 'shorewall' is also a good
Firehol is a script based language for iptables firewall definition,
while shorewall is a declarative language. Your preferences are
probably the biggest deciding factor between them.
Either of those will produce a higher quality firewall, more quickly,
than writing the rules by hand will, in most cases.
> 2.- NFS use dinamic ports on conenctions with the clients. Howis it
> supposed to be firewaled (The same can be for some Windows
As others have noted, NFS is really not really designed to pass through
firewalls, and may pose significant security risk if, as I guess, by
"main firewall" you mean one between you and the Internet.
'firehol' solves the problem of securely protecting RPC services such as
NFS by performing a query on the NFS server at start time, which allows
it to determine the ports used by NFS, and then allowing access only to
This has the bonus of exposing as little as possible - only the ports
used by NFS are available - at the cost of needing to regenerate the
firewall rules when the NFS server restarts.
Alternately, as others have suggested, fix the NFS server to specific
ports and firewall those explicitly.
 This is my conclusion after inspecting a wide range of firewalls,
including hand build firewalls. The scripts don't slip up nearly
as often as people do, and they sure don't get bored with writing
thousands of lines of highly detailed and secure rules.
 Alternately, find a solution where your NFS server binds to a fixed
port or simply re-uses the previous RPC port, and you don't
actually need to restart the firewall.