Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] Forwarding NFS connection
  • From: "Reckhard, Tobias" <Reckhard@xxxxxxxxxx>
  • Date: Mon, 30 Jul 2001 07:22:04 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D13480E8@xxxxxxxxxxxxxxxxx>
> I want to access a nfs-filer (SuSE 7.2, kernel nfs) with an internal IP
> (172.x.x.x) through a firewall using ipchains and having a connection to
> the
> internet.
>
Just for the sake of completeness, large portions of the IP space beginning
with 172 aren't part of the private address space. Only 172.16/12 is
private.

> Is it possible to forward/masq the nfs connection with ipchains and what
> are
> the necessary rules?
>
Well, NFS is an RPC service, so you need to allow connections to the
portmapper (UDP 111, IIRC) as well as to the port used by NFS. Normally and
AFAIK, RPCs can't be port forwarded to practically, as they use dynamic
ports. NFS is something of an exception, since most NFS server
implementations attempt to use UDP port 2049.

A better way to provide RPCs is to proxy them on a gateway machine. For NFS,
you can have the gateway be NFS server to the client on the outside and be a
client to the actual NFS server on the inside. No IP translation necessary..

You should also note that NFS and any other RPC-based services should just
about never be served to the Internet! They rank right next to the family of
Berkeley r protocols on the top of the list of protocols *not* to be passed
by an Internet firewall.. You have been warned.

Tobias


< Previous Next >
This Thread
  • No further messages