Thread: rc.rpc in release candidate 5
View Single Post

   
  #7 (permalink)  
Old 02-20-2008, 07:05 PM
Robby Workman
 
Posts: n/a
Default Re: rc.rpc in release candidate 5
On 2006-09-25, Grant <g_r_a_n_t_@dodo.com.au> wrote:
> On Mon, 25 Sep 2006 05:16:31 GMT, Robby Workman <newsgroups@rlworkman.net> wrote:
>
>> http://howtos.rlworkman.net/NFS_Firewall_HOWTO
>
> Rationale for firewall? Over here I allow unrestricted localnet traffic,
> restrict connections from 'out there'... So no problem re: random ports.
>
> Why or when would I make NFS firewall rules like in your document?


I think I've had this discussion before, but I don't know if it was here or
elsewhere, and I'm too lazy to check the archives, so I'll do it again

My home network has ten drops plus a wireless connection. The ten drops are
from two separate five port switches, both of which are tied to eth0 on the
firewall box. The wireless access point is ath0 (SMC ? with madwifi) on the
firewall box. I occasionally have others over here, and depending on their
needs, they either use the wifi (open) connection or a wired drop. Preventing
NFS requests from the wireless network isn't a problem, as eth0 and ath0 on
the firewall are not bridged, but I initially planned to bridge them, so that
was the initial reason for wanting to restrict access at the NFS server via
iptables (on the server itself). Later on, I realized that allowing others
to use the wired network would present the same potential problems, so I
decided to continue with the original plan (minus bridging).

As it stands, the NFS server is also my primary desktop/development box, so
I run sshd and vsftpd on it as well. I realize that I could very easily
have selective filters for only ports 22 and 21, but I guess intellectual
curiosity won. Ultimately, the setup I have now allows me to have my
desktop fully firewalled (locally) to allow NFS connections only from
specified hosts, and I don't have to worry about scripting something to
see what ports were used by the RPC daemons after each boot.

Yes, I know I could have accomplished essentially the same thing with
/etc/hosts.{allow,deny}, but then, that would have eliminated the ability
to have a "deny by default" firewall policy on the NFS server.

Was that a good enough answer?

RW

--

http://rlworkman.net
Reply With Quote