[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NFS versus the firewall

Charles Curley wrote:
On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
Something has bugged me for ages about trying to use NFS between
machines on the LAN.


Charles has given a link to his fairly comprehensive method for getting NFS-v[123] in an Iptables firewalled environment.

It should be noted that in the system-config-firewall command, they are talking about NFS-v4 which os more like FTP in its use of ports. The older protocol versions protocols are much harder to configure.

I took a different tack in solving the problem...
I decided that inside my firewall, on the private-IP lan (I use a 10.x.x.x set of addresses) I want to treat the locally addressed network as a "trusted" network. Older versions of the firewall configurator (prior to F6?) had a checkbox to select such an option; the current s-c-firewall doesn't offer this.

What I did was insert a rule on the INPUT ruleset in front of the RH-Firewall-INPUT call:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
-I INPUT --src -j ACCEPT    #<-------Inserted
-I INPUT --in-interface lo  --jump ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH. . .

The  should be replaced with the CIDR of your local network.
This preempts the Firewall chain if the address is in hte noted network.
Since the 10.x.x.x and other private address IP ranges are non-routable (meaning they won't be passed through a router generally) it is moderately safe to presume that such addresses originated inside your border firewall, and that they may use any available services without restrictions.

Once you edit the firewall rules in /etc/sysconfig/iptables (or do the slightly more complicated steps necessary to get F8 s-c-f to deal with a custom ruleset) older NFS versions will "automagically" work as long as you have the exports file set correctly.

This is less than professionally paranoid in terms of security, but I offer it as another method that solves more than the NFS problem.

<Drat, Thunderbird doesn't know about GNUpg keys!>
Hug Your Wolf!

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]