BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Redid my network, getting back SMB/NFS

Subject: Redid my network, getting back SMB/NFS
From: invalid at pizzashack.org (Derek Martin)
Date: Tue, 12 Apr 2005 23:35:19 -0400
In-reply-to: <425B4485.9090702@thekramers.net>
References: <425B4485.9090702@thekramers.net>

On Mon, Apr 11, 2005 at 11:46:13PM -0400, David Kramer wrote:
> I have a feeling what's getting in my way is that SuSEFirewall2 is not 
> flexible enough to do what I want.  I need one of two different things
> 
> 1) Let anything in/out for 192.168.1.*, and only let about 10 ports in from 
> anywhere else.

This is easy to do with custom iptables rules, but having never even
used Suse (well, I have, but not enough to make it worth really even
mentioning), I don't know how to make Suse's firewall majiga do it...

  iptables -A INPUT -s  192.168.1.0/24 -j ACCEPT
  iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT

probably would do what you suggested.  OTOH, this could potentially be
dangerous, if the server was compromised.  OTOOH, if the server is
compromised, the attacker can modify the iptables as desired.  So it's
prolly not worth worrying about the extra complexity to get it
"right".  If your server /is/ ever compromised, your whole network is
owned, essentially.

Doing NFS "right" is really tough...  That's because it uses RPC to
figure out what ports should connect to where.  You need to allow port
111 UDP (portmapper) so that clients can find out where to go to get
NFS...  Then you also need to allow the port(s) actually used by the
NFS server, which could be almost anything...  Practically speaking,
it usually ends up being somewhere around port 1024 UDP on most Linux
systems...  I imagine nfsd just binds to the first unprivileged UDP
port it can acquire, unless you tell it to do something else (you can
force it to use privileged ports, or not).

> Side note: I *really* have to set up a dns server on my box now, because I 
> can't open any of my domain names from my intranet, because they all go out 
> and then back in.  I need to tell all my internal machines that all of 
> those addresses map to my server, which is now 192.168.1.2.

You could, of course, use hosts files, and use ssh/rdist/etc. to keep
them in sync on all your private hosts...  There can't be THAT many of
them, could there?  =8^)

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20050412/969894d6/attachment.sig>

References:
- Redid my network, getting back SMB/NFS
  - From: david at thekramers.net (David Kramer)

Prev by Date: Redid my network, getting back SMB/NFS
Next by Date: Jpilot memos
Previous by thread: Redid my network, getting back SMB/NFS
Next by thread: Jpilot memos
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org