[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and NFS

On Tue, 13 Dec 2005, Ansgar -59cobalt- Wiechers wrote:

NFS is not supposed to traverse any firewall, since it does not provide
any kind of security mechanism whatsoever.

I second that, even if NVFv4 is a litlle bit better. However, if you really,
really, REALLY MUST let NFS traverse a firewall, go to the official
netfilter web site and download the latest patch-o-matic. Then use it to
selectively apply only the required patches to enable NFS connection
tracking. This will enable you to have a much cleaner (and less insecure)
firewalling setup, since you will not need to blindly accept UDP connections
over a range of ports. Instead, you can let NFS clients (and only them)
connect to your portmapper (which runs on a well-defined port) and then let
through RELATED traffic. Another solution would be to establish a crypted,
authenticated connection between clients and servers (e.g. using IPSec using
one of the iplementations available, or ssh tunnels, or one of the many
other alternatives) and then letting relatively insecure traffic go through
the tunnels (this is what I do). It is a bit more complicated to set up, but
much more secure.



Giacomo Mulas <gmulas@ca.astro.it>

Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248     Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

Il messaggio e' stato analizzato alla ricerca di virus o
contenuti pericolosi da MailScanner, ed e'
risultato non infetto.

Reply to: