Redid my network, getting back SMB/NFS
Derek Martin
invalid at pizzashack.org
Tue Apr 12 23:35:19 EDT 2005
On Mon, Apr 11, 2005 at 11:46:13PM -0400, David Kramer wrote:
> I have a feeling what's getting in my way is that SuSEFirewall2 is not
> flexible enough to do what I want. I need one of two different things
>
> 1) Let anything in/out for 192.168.1.*, and only let about 10 ports in from
> anywhere else.
This is easy to do with custom iptables rules, but having never even
used Suse (well, I have, but not enough to make it worth really even
mentioning), I don't know how to make Suse's firewall majiga do it...
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
probably would do what you suggested. OTOH, this could potentially be
dangerous, if the server was compromised. OTOOH, if the server is
compromised, the attacker can modify the iptables as desired. So it's
prolly not worth worrying about the extra complexity to get it
"right". If your server /is/ ever compromised, your whole network is
owned, essentially.
Doing NFS "right" is really tough... That's because it uses RPC to
figure out what ports should connect to where. You need to allow port
111 UDP (portmapper) so that clients can find out where to go to get
NFS... Then you also need to allow the port(s) actually used by the
NFS server, which could be almost anything... Practically speaking,
it usually ends up being somewhere around port 1024 UDP on most Linux
systems... I imagine nfsd just binds to the first unprivileged UDP
port it can acquire, unless you tell it to do something else (you can
force it to use privileged ports, or not).
> Side note: I *really* have to set up a dns server on my box now, because I
> can't open any of my domain names from my intranet, because they all go out
> and then back in. I need to tell all my internal machines that all of
> those addresses map to my server, which is now 192.168.1.2.
You could, of course, use hosts files, and use ssh/rdist/etc. to keep
them in sync on all your private hosts... There can't be THAT many of
them, could there? =8^)
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail. Sorry for the inconvenience. Thank the spammers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20050412/969894d6/attachment.sig>
More information about the Discuss
mailing list