RE: [suse-security] Forwarding NFS connection
I want to access a nfs-filer (SuSE 7.2, kernel nfs) with an internal IP (172.x.x.x) through a firewall using ipchains and having a connection to the internet.
Just for the sake of completeness, large portions of the IP space beginning with 172 aren't part of the private address space. Only 172.16/12 is private.
Is it possible to forward/masq the nfs connection with ipchains and what are the necessary rules?
Well, NFS is an RPC service, so you need to allow connections to the portmapper (UDP 111, IIRC) as well as to the port used by NFS. Normally and AFAIK, RPCs can't be port forwarded to practically, as they use dynamic ports. NFS is something of an exception, since most NFS server implementations attempt to use UDP port 2049. A better way to provide RPCs is to proxy them on a gateway machine. For NFS, you can have the gateway be NFS server to the client on the outside and be a client to the actual NFS server on the inside. No IP translation necessary.. You should also note that NFS and any other RPC-based services should just about never be served to the Internet! They rank right next to the family of Berkeley r protocols on the top of the list of protocols *not* to be passed by an Internet firewall.. You have been warned. Tobias
participants (1)
-
Reckhard, Tobias