Re: nfs and firewall
A long time ago, in a galaxy far, far way, someone said...
> Hai,
>
> I'm trying to secure my system, I ran pmfirewall and some tests.
> It seems that rpc.mountd still listens on port 1024 even on the
> outgoing ethernet.
>
> I am trying hard to read up to this subject, but in the time being
> I would feel much better if I were able to shut off *all* services
> from this machine to the hostile internet. So if some kind soul
> could shed some light onto this, I would be much obliged:)
I would remove the nfs-server (or nfs-kernel-server, whichever you have
installed) package. You don't need that package to connect to an NFS
server; only if you're going to *be* the NFS server do you need it.
That will also happen so solve the problem of trying to firewall off the
NFS port: there won't be anything to firewall off.
> My setup is a firewall and several local machines on a local net,
> the firewall doing masquerading and firewalling. For ease of upgrading
> I want the firewall to be able to mount a debian mirror on another
> local machine. In the end I also think of letting the firewall machine
> act as a local mail and news server (is that deemed secure?).
It can be a bad thing: I call having "too many" services on one system
"too many eggs in one basket". I've seen situations in the past where an
exploit in one piece of software will expose the entire system to the
attacker, and let him/her gain access to all that computer offers.
Whether or not it's secure depends on who the firewall rules allows to
access the service.
--
----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
"There are two things that are infinite; Human stupidity and the
universe. And I'm not sure about the universe." - Albert Einstien
Reply to: