NFS and firewalls (was: firewalling scripts)
Benjamin Scott
bscott at ntisys.com
Tue Feb 1 18:20:01 EST 2005
On Tue, 1 Feb 2005, at 5:49pm, kend at xanoptix.com wrote:
> I really liked firestarter, too... EXCEPT that I was utterly unable to get
> it to allow NFS. So, whamo -- every so often, it'd start up, and no more
> homedir for me. Anyone have an idea about how to get around that?
Traditional NFS is not "firewall friendly". Additionally, putting a
firewall up and then allowing traditional NFS through is of dubious value
anyway. NFS (and the portmapper it depends on) has so many security
problems (both in design and implementation) that it's kind of pointless.
The solution has always been to put your NFS behind your firewall.
This may not apply to the more recent flavors of NFS, which support more
security features and can run over TCP. Since I don't know jack about them,
I can't comment one way or the other.
A firewall is *not* a panacea. In particular, it's worse then useless if
you just punch gigantic holes in it. You're wasting time and effort, and
giving yourself a false sense of security.
Please disregard the above lecture if it does not apply to you.
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list