Re: NFS versus the firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Charles Curley wrote:
On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
Something has bugged me for ages about trying to use NFS between
machines on the LAN.

http://www.charlescurley.com/nfs.html


Charles has given a link to his fairly comprehensive method for getting NFS-v[123] in an Iptables firewalled environment.

It should be noted that in the system-config-firewall command, they are talking about NFS-v4 which os more like FTP in its use of ports. The older protocol versions protocols are much harder to configure.

I took a different tack in solving the problem...
I decided that inside my firewall, on the private-IP lan (I use a 10.x.x.x set of addresses) I want to treat the locally addressed network as a "trusted" network. Older versions of the firewall configurator (prior to F6?) had a checkbox to select such an option; the current s-c-firewall doesn't offer this.

What I did was insert a rule on the INPUT ruleset in front of the RH-Firewall-INPUT call:

#/etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
-I INPUT --src 10.0.1.0/24 -j ACCEPT    #<-------Inserted
-I INPUT --in-interface lo  --jump ACCEPT
:FORWARD ACCEPT [0:0]
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH. . .

The 10.0.1.0/24  should be replaced with the CIDR of your local network.
This preempts the Firewall chain if the address is in hte noted network.
Since the 10.x.x.x and other private address IP ranges are non-routable (meaning they won't be passed through a router generally) it is moderately safe to presume that such addresses originated inside your border firewall, and that they may use any available services without restrictions.


Once you edit the firewall rules in /etc/sysconfig/iptables (or do the slightly more complicated steps necessary to get F8 s-c-f to deal with a custom ruleset) older NFS versions will "automagically" work as long as you have the exports file set correctly.

This is less than professionally paranoid in terms of security, but I offer it as another method that solves more than the NFS problem.

--
Wolfe
<Drat, Thunderbird doesn't know about GNUpg keys!>
Hug Your Wolf!


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux