Chuck Swiger wrote:
On Jan 11, 2007, at 10:58 AM, Garrett Cooper wrote:
Just wondering if anyone has IPFilter / nfsd setup properly on their
boxes with any beta versions of FBSD.
It is typically not useful to implement firewall rules between NFS
servers and legitimate NFS clients.
The large number of RPC services using randomly assigned ports needed
by NFS and the fact that machines which trust each other enough to
permit filesharing and generally utilize a common set of directory
services to keep the user/group mappings synced mean that the NFS
server & clients should be considered in the same "trust domain" in
most cases.
Right, ok. I suppose I was just being lazy/trying to blanket support all
machines on my subnet without having to delve into individual hosts, but
that makes perfect sense. rpcbind (and RPC in general) strictly uses
ports under 1023--assuming that there are enough allocatable ports
available for each RPC service in the port range 1-1023--if running as
root, does it not?
Does the same rationale apply for Samba? That's part of the reason why
I'm concerned with running a firewall.. I run smbd/nmbd on the server
machine.
Either that, or I could switch to another firewall setup (albeit it'd be
sort of a pain). Does ipfw / pf work better with RPC than IPFilter?
Also if you suggest 7-CURRENT, what's the CVS tag for that version?
The HEAD of the CVS tree (aka "."). Updating the 7-CURRENT won't have
any affect upon firewall configuration for NFS, however.
Right. I was just going to see if there was any improvement in how
things were implemented in 7-CURRENT, because maybe the issues that I'm
encountering had been 'solved' in 7-CURRENT (although I would probably
have more issues with core kernel items as they're under heavy
development it appears given traffic on the current@ list).
Thanks Chuck!
-Garrett
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
