On Jan 11, 2007, at 12:54 PM, Garrett Cooper wrote:
It is typically not useful to implement firewall rules between NFS
servers and legitimate NFS clients.
The large number of RPC services using randomly assigned ports
needed by NFS and the fact that machines which trust each other
enough to permit filesharing and generally utilize a common set of
directory services to keep the user/group mappings synced mean
that the NFS server & clients should be considered in the same
"trust domain" in most cases.
Right, ok. I suppose I was just being lazy/trying to blanket
support all machines on my subnet without having to delve into
individual hosts, but that makes perfect sense. rpcbind (and RPC in
general) strictly uses ports under 1023--assuming that there are
enough allocatable ports available for each RPC service in the port
range 1-1023--if running as root, does it not?
Actually, no. While rpcbind/portmap/portmapper is assigned to 111/
tcp & udp, most other RPC services get assigned high port numbers in
the 327xx range, but that varies considerably from platform to platform.
Does the same rationale apply for Samba? That's part of the reason
why I'm concerned with running a firewall.. I run smbd/nmbd on the
server machine.
Somewhat, yes. Samba/CIFS filesharing can require less trust between
server and client as accessing a Samba share does not require
superuser permissions, just limited user access, but Samba does
require root access to start up and bind to the low ports it uses,
and it also involves the "network browse master" (which nmbd can do)
and so forth which involve subnet-oriented broadcast traffic.
Samba/CIFS is a chatty protocol.
Either that, or I could switch to another firewall setup (albeit
it'd be sort of a pain). Does ipfw / pf work better with RPC than
IPFilter?
No, not really. What you probably want to focus on is protecting
your entire subnet, including the fileserver and clients, from
malicious traffic via your Internet link(s), and then worry about
egress filtering, dividing your machines into a trusted internal LAN
and a semi-trusted DMZ, and so forth.
A firewall system should not be running any kind of filesharing;
while you can run PF, IPFW, etc on your fileserver, that ought to be
a secondary line of protection for "defense in depth", and your
Internet connection ought to have a dual-homed or multihomed firewall
machine which is dedicated to that role and which runs zero services.
--
-Chuck
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
