NFS-mount thru firewall
Hello, I have the need to mount a NFS-volume through a firewall. Sadly I was not able to find the ports to open and therefor I'd like to ask you wether anybody can answer the following question: Is SuSE-FW2 able to enable NFS-ports (login from my LX-box to the server) in a way that the MAC-adress is checked and the port is only available to this machine? This would shorten security risks I guess. Is there any alternative to this ? -- Freundliche Grüße kind regards Ingo
Is SuSE-FW2 able to enable NFS-ports (login from my LX-box to the server) in a way that the MAC-adress is checked and the port is only available to this machine? This would shorten security risks I guess.
This will work (I use it from /etc/sysconfig/scripts/SuSEfirewall2-custom) FW_ALLOW_NFS="" # These ports will be opened for access by the given host # (showmount -e seems to use tcp ports around 1200 damn... allow_nfs_ports_in() { echo " $1,tcp,111 $1,udp,111 $1,udp,2049 $1,udp,600:1399 $1,udp,2100:2499 " } if [ -n "$FW_ALLOW_NFS" -a "$FW_ALLOW_NFS" != no ]; then for host in $FW_ALLOW_NFS; do addnet=( `allow_nfs_ports_in $host` ) FW_TRUSTED_NETS="$FW_TRUSTED_NETS ${addnet[@]}" done echo "FW_TRUSTED_NETS=$FW_TRUSTED_NETS" fi Issues: It allows those ports on all interfaces, not just the one you want - if you only have one, fine. Those udp ports are a guess - security won't be much worse by just allowing 600:6000. If your mounts suddenlyhang (or the mount times out) check this. It doesn't allow for your MAC address checking. If you want finer control, you have to generate iptables rules yourself, at the correct point in the SuSEfirewall2 script. You'll probably find that you need to edit the script itself.
Is there any alternative to this ?
NFS is a pain. In theory, you need a packet filter which listens in on the portmaper exchange and on the fly opens and closes the udp ports actually being used. I practice, no (unless you implement the theory yourself). If there is another way afterall, please let me know as well... Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
On Wed, Feb 19, 2003 at 10:35:57AM +1300, Volker Kuhlmann wrote:
Is there any alternative to this ?
NFS is a pain. In theory, you need a packet filter which listens in on the portmaper exchange and on the fly opens and closes the udp ports actually being used. I practice, no (unless you implement the theory yourself).
If there is another way afterall, please let me know as well...
I think there was a way to bind the daemons to some fixed, previously known, port. then you can open those, and don't have to supply a range. damn. where are my notes on that ... AFAICR, it was option -p for the listening port of rpc.nfsd, rpc.mountd, rpc.statd, and -o for outgoing port of statd. not sure about lockd. and you need a port=### (or mountport=###) option for mount. hope that is enough to find the needed info Lars
* Volker Kuhlmann wrote on Wed, Feb 19, 2003 at 10:35 +1300:
Is there any alternative to this ?
NFS is a pain. In theory, you need a packet filter which listens in on the portmaper exchange and on the fly opens and closes the udp ports actually being used.
Yes, it is... Closing ports on the fly? This results in blocking unused ports, if I undertstood correctly. I don't think that this is so horrible to have unused ports open. Firewalling access except a few, trusted IPs is not that bad at all, and on the NFS server and/or the client you could roll out additional some local rules, but UDP packet source addresses are easy to spoof (or "set", "spoof" sounds so complicated :)). Some RPC services can be configured to listen on specified ports, maybe nfsd have this feature also? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi! Under the following URL you find one description how to tunnel nfs in ssh. This is afaik the easiest approach to use nfs in a secure way (not only if you have a firewall, it might even be a good replacement for unencrypted nfs in your lan - as long as you are not 100% sure who has access to the network): http://www.math.ualberta.ca/imaging/snfs/ There are many other manuals on the net how to do this, try a google search. CU, Lars. -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
* Ingo Doerrie <ingo@doerrie-net.de> [2003-02-18 16:51 +0100]:
I have the need to mount a NFS-volume through a firewall. [.. opening ports ..] Is there any alternative to this ?
What about tunnelling NFS-over-IP-over-PPP-over-SSH-through-the-firewall, as shown in http://www.jfranken.de/homepages/johannes/vortraege/ssh2.en.html#ToC12 As a nice side-effect, your nfs traffic would be compressed and enciphered, and ssh itself can easily tunnel through other protocols like https (see http://www.jfranken.de/homepages/johannes/vortraege/ssh3.en.html#ToC6 ). -- Johannes Franken Professional unix/network development mailto:jfranken@jfranken.de http://www.jfranken.de/
participants (6)
-
grobe@gmx.net -
Ingo Doerrie -
Johannes Franken -
Lars Ellenberg -
Steffen Dettmer -
Volker Kuhlmann