[215] in linux-security and linux-alert archive
IP firewalling and security
daemon@ATHENA.MIT.EDU (Thomas Koenig)
Fri Apr 21 21:13:14 1995
To: linux-security@tarsier.cv.nrao.edu (linux-security)
Date: Wed, 19 Apr 1995 20:35:19 +0200 (MET DST)
From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig)
IP firewalling for a single machine, methinks, can be used to enhance
security of such services such as X or NFS.
Suppose you only want to provide NFS service to the local subnet
192.168.0.0 (netmask 255.255.0.0), from your local server,
192.168.5.123.
In that case, putting the lines
ipfw add b deny udp from 0.0.0.0/0 to 192.168.5.123 111
ipfw add b accept udp from 192.168.0.0/16 to 192.168.5.123 111
ipfw add b deny udp from 0.0.0.0/0 to 192.168.5.123 2049
ipfw add b accept udp from 192.168.0.0/16 to 192.168.5.123 2049
into a suitable place (such as /etc/rd.c/rc.inet1) will block any
Portmapper or NFS requests which appear to come from outside your
local organization to be silently dropped.
If your router is configured to drop any packets which appear to come
from the inside, but come in from the outside, you've closed any
NFS holes there may be to the outside world.
If your router doesn't - well, just how susceptible is NFS to an attack
similar in style to TCP spoofing? If you're only exporting read-only,
and this works, things should be fairly secure. If you're exporting
read - write, an attacker could possibly overwrite some data.
Question: if you've got nfsd and rpcd running firewalled, can anything
be gained by also firewalling mountd? This would probably have to be
done in mountd itself, since it doesn't bind to a specified port.
[BTW, thanks to Alan Cox for helping me figure out the ipfw syntax :-]
--
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.
