NFS versus the firewall

G.Wolfe Woodbury ggw at wolves.durham.nc.us
Tue Jan 1 08:16:13 UTC 2008 

Charles Curley wrote:
> On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
>> Something has bugged me for ages about trying to use NFS between
>> machines on the LAN.
> 
> http://www.charlescurley.com/nfs.html
> 

Charles has given a link to his fairly comprehensive method for getting 
NFS-v[123] in an Iptables firewalled environment.

It should be noted that in the system-config-firewall command, they are 
talking about NFS-v4 which os more like FTP in its use of ports.  The 
older protocol versions protocols are much harder to configure.

I took a different tack in solving the problem...
I decided that inside my firewall, on the private-IP lan (I use a 
10.x.x.x set of addresses) I want to treat the locally addressed network 
as a "trusted" network.   Older versions of the firewall configurator 
(prior to F6?) had a checkbox to select such an option; the current 
s-c-firewall doesn't offer this.

What I did was insert a rule on the INPUT ruleset in front of the 
RH-Firewall-INPUT call:

#/etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
-I INPUT --src 10.0.1.0/24 -j ACCEPT    #<-------Inserted
-I INPUT --in-interface lo  --jump ACCEPT
:FORWARD ACCEPT [0:0]
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH. . .

The 10.0.1.0/24  should be replaced with the CIDR of your local network.
This preempts the Firewall chain if the address is in hte noted network.
Since the 10.x.x.x and other private address IP ranges are non-routable 
(meaning they won't be passed through a router generally) it is 
moderately safe to presume that such addresses originated inside your 
border firewall, and that they may use any available services without 
restrictions.


Once you edit the firewall rules in /etc/sysconfig/iptables (or do the 
slightly more complicated steps necessary to get F8 s-c-f to deal with a 
custom ruleset) older NFS versions will "automagically" work as long as 
you have the exports file set correctly.

This is less than professionally paranoid in terms of security, but I 
offer it as another method that solves more than the NFS problem.

-- 
Wolfe
<Drat, Thunderbird doesn't know about GNUpg keys!>
Hug Your Wolf!

More information about the fedora-list mailing list