Re: IPMasqing NFS
On Wed, May 09, 2001 at 02:12:38PM -0700, Chris Majewski wrote:
> Mike Fedyk <mfedyk@matchmail.com> writes:
>
> > Try rpcinfo, if that won't get through, you need to make sure that you let
> > through the statd port.
>
> Here's what rpcinfo says:
> [okocim]13:55:34[/etc]$ rpcinfo gw.krzys.com
> rpcinfo: can't contact rpcbind: : RPC: Unable to receive; errno = Connection refused; System error
>
> What's statd? I'm now doing the following on my firewall:
>
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -i eth0 -s 10.0.0.0/24 -j MASQ
> /usr/sbin/ipmasqadm portfw -f
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.115.135.172 2222 -R 10.0.0.3 2222
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.115.135.172 2049 -R 10.0.0.3 2049
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.115.135.172 111 -R 10.0.0.3 111
>
> The last three correspond to sshd, nfs, and sunrpc, but I have no idea
> what I'm doing (sshd works, nfs doesn't).
>
Until you know how to use these tools, you shouldn't even try to do this:
lsof
netstat
tcpdump
nfs protocol and security considerations.
You are holding open a big guarage door that's screaming "HACK ME! I WANT TO GIVE
ALL OF MY FILES AWAY, AND HAVE YOU DELETE THEM AFTERWARDS!"
You realize that nfs is worse than using telnet(over the internet), right?
> > Remember with nfs:
> >
> > Anyone can act as any of your users! I would setup a IPsec tunnel for this
> > myself if I did this at all.
>
> What's an IPsec tunnel and how do I set one up?
>
www.freeswan.org
You need to know how to compile your own kernel, use tcpdump, and debug
network issues. You can get help from the freeswan guys, but you should
pick up a networking book and read it NOW.
Post more about what you really want to achieve, and maybe we can help you
pick another solution that is more secure.
Mike
Reply to: