Hello Nicolas, Actually was are still a amall company and this particular job if for some friends, a research group the university who has recently had problems, who will not listen to reason about the problems of port- forwarding services like NFS. With that in mind, I told them that I would help get them as secure as possible given their specific requirements.
Like many people in the academic arena, it will take getting hacked and attacked a few time before they realize that they should have listened to more well informed people in the past, like me, who has tried very hard to get them out of the current mentality of "patch- work" until the next problem. So, being this, I will simple try to make the best out of what they have and will let get done. Supprisingly, I have put in a few other eigerStein LRP firewalls around here and those departments and groups completely, and I must say easily, decided to go for the better protection schemes which I had initially suggested. These guys will learn with time I am sure. Best Regards, Cheers, Lonnie > Hello All, > > > I have been trying, with no luck so fat to mount a directory > > from a machine that I have behind the Eigerstein LRP to a > > client machine outside the firewall. > > Considering that, AFAIK, NFS has a very bad reputation > security-wise I kinda think that this is a very bad idea (TM) (-; > but if you still want to do it I think reading the following > messages > <http://www.geocrawler.com/archives/3/90/1999/2/0/350356/> and > <http://www.esker.fr/itspublic/Documents/20000804044B.htm> might > be useful to you. > > Apparently (& as far as I'm concerned fortunatly) NFS doesn't > appear to be very firewall friendly (It's apparently the "port > mapper" which listens at port 111 tcp & udp (apparently, BTW, the > name of this service is sunrpc/portmap) which hands out the port > addresses which will be used...) > > > I have opened a udp port 2049 which is supposed to be for nfs, > > but still I cannot seem to mount the server directory even > > though I can mount the server directory to other machines that > > are also inside the firewall. > > According to the list of "well known port numbers" > (http://www.iana.org/assignments/port-numbers), and to the > messages I posted the URL to previously you would have to open > this in udp also (and as I believe Ray suggested probably to port > forward them too...) > > BTW, I do believe that they are usually opened by default... > > > Actually because of the nature of our setup here, w have 2 > > machines that need allow for nfs mounting and although my > > personnal thoughts are that they too should be behind the > > firewall completely, > > unfortunately I do not get the last word in this. > > (-; (-; (-; > > If the President/CEO doesn't get the last word on this, who does? > (I confess, I paid a visit to your website... (rackmounted > servers/firewall, nice... (-; ). (-; (-; (-; > > Couldn't you establish a VPN tunnel between them instead, > wouldn't that work better & be more secure? > > > Opening port 2049 means that I have added this rule to the > > ipfilter.conf file. > > > > $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 > > 2049 > > BTW, this is probably a typo that got there when you retyped that > line but you've got port 2040 (instead of 2049) on the extern > interface... > > If you do open these ports I would highly suggest that you open > them only for the IP addresses of the other pc/server as some of > these ports (especially 111) are regularly probed by people > wanting to get into your pc... > > Good luck! > > Nicolas Riendeau > > PS: Please forgive my English as it is not my mother tongue. > Thanks! -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
