On Thu, Jun 16, 2005 at 09:36:18PM -0600, Michael Torrie wrote: > On Thu, 2005-06-16 at 19:26 -0600, Charles Curley wrote: > > I seem to have a firewall problem. I recently added some 802.11g > > equipment to my home network, so I thought it would be a good idea to > > tighten up the firewalls on the computers on the home network. > > > > If I use system-config-securitylevel to set up a minimum firewall, > > allowing only SSH, FTP and DNS, DNS works fine. ncftp simply falls > > back to port instead of passive mode, and continues to work. Yum fails > > as follows:
Add another item to the senario: Amanda also uses FTP. Another reason to get FTP working. > > I'm a little confused. What machine is running the firewall? The > client or the server? Server. > If the firewall is on the server, you'll have to write a script that > queries the local portmap port to find out what port NFS is running > on (which will be a UDP port) and then punch that through the > firewall. Or else assign it a known port, as the docs Gabriel pointed to suggest. Is NFS always UDP? I thought it could be either UDP or TCP. > > > > Any ideas on how to get yum and NFS working? > > For getting ftp through a firewall to the outside world, you'll want to > insert the ip_conntrack_ftp module. That will enable passive and port > ftp (whatever it is called) to function properly. Already in place. > > Please tell us more about your setup. Which machine runs a firewall and > why, which machine is your internet gateway. The server, and because I have some 802.11g equipment and decided to be paranoid on this issue. The internet gateway is a third machine which I don't think relevant to this problem. > > On my firewall, I hang the wireless AP off a third NIC with a different > subnet than my wired lan. That way I can pretty much allow wired stuff > to go on as normal (nfs, smb, etc), but prevent the wireless from using > the less secure services. Generally a good idea. Unfortunately, the client machine is on the other side of a wireless link. > Also bear in mind that simply securing your running services is a > whole lot better than a firewall as a firewall doesn't protect > running services anyway. Right, always a good idea. > Also, rather than using nfs over an insecure (wireless) network, > consider using smb or something that's at least authenticated. > These days samba supports full unix file semantics between unix > hosts including sym and hardlinks, special files, permissions, etc. > it could replace nfs in some circumstances. Unfortunately, one use for NFS is Fedora Core installations. I forget what all the options are, but I don't think SMB is among them. And SMB has its own firewall and security nightmares. And in this case, the NFS mounts are RO and GPLled data anyway, so let a bad guy snarf them. -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
pgpN9rdzhzt5V.pgp
Description: PGP signature
.===================================. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `==================================='
