Ted Unangst wrote:
On 6/21/06, Clint Pachl <[EMAIL PROTECTED]> wrote:
Because portmap(8) dynamically assigns the mountd(8) port, how would
one write a pass rule in pf for mountd(8) traffic? My problem is that
every time mountd(8) is re/started, it operates on a different port and
my fixed pf rules block the mount protocol and, consequently, my
clients cannot mount an NFS share.
i file nfs traffic into the "stuff not supposed to be going through
the firewall" category. a firewall implies there are bad people on
one side of it, and you don't want bad people to access nfs, ever.
i'd use a vpn of some sort to tunnel through the firewall.
I agree, however, my NFS traffic is not passing through a firewall. This
is an internal host on a "trusted" network serving things like http. I
usually lock down all of my boxes whether they are facing the Internet
or not. Anyway, I just recently decided to export an NFS share on this
box and ran into my originally posted problem.
It just kind of sucks that now I have to compromise security or
functionality or create workaround. Not that this box really needs to
run pf, I just feel better about doing so.
-pachl
