On Thu, Apr 28, 2005 at 04:47:11PM -0600, Lonnie Olson wrote: > On Apr 28, 2005, at 4:30 PM, Charles Curley wrote: > >I recently added a wireless AP to my network. This means I now want > >firewalls on all my boxen. Which ports do I have to have open so I can > >export NFS? > > > >I found: > > > >sunrpc 111/tcp portmapper # RPC 4.0 portmapper > >TCP > >sunrpc 111/udp portmapper # RPC 4.0 portmapper > >UDP > >nfs 2049/tcp nfsd > >nfs 2049/udp nfsd > > > >What else? > > Those should be fine for normal use, but you can also look at other > open ports via `rpcinfo -p`.
Thanks, that helped. > > Also be aware of security. NFS has only host/IP based security. > Meaning anyone driving by that can hop on your WAP, choose an IP > address and mount your exports. and may do nasty things. Very much aware of the issues here. I'm going to re-write the export file to allow only specific IP addresses, and they are all already RO anyway. Using iptables-[save|restore] and some braindead scripting, I now have two firewalls, one for when I want to allow NFS, and one for when I don't. :-) And I don't put anything critical on them. As far as I'm concerned, if some bozon wants to do a drive-by crack and slurp in 3 GB of Fedora Core ISOs, he/she/it is welcome to it. > > --lonnie > .===================================. > | This has been a P.L.U.G. mailing. | > | Don't Fear the Penguin. | > | IRC: #utah at irc.freenode.net | > `===================================' -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
pgpBb7lmGgCBr.pgp
Description: PGP signature
.===================================. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `==================================='
