2012/5/12 Michael Schuh <michael.sc...@gmail.com> > > > 2012/5/12 Ugo Bellavance <u...@lubik.ca> > >> On 2012-05-11 16:14, Michael Schuh wrote: >> >>> >>> >>> 2012/5/11 Ian Levesque <i...@crystal.harvard.edu >>> <mailto:ian@crystal.harvard.**edu <i...@crystal.harvard.edu>>> >>> >>> >>> >>> On May 11, 2012, at 2:52 PM, Ugo Bellavance wrote: >>> >>> > I'd need to have an NFS client access an NFS server. Both are on >>> a different network segment, so I need to have the traffic go >>> through the pfSense firewall. Does anyone has the list of ports >>> that must be allowed for NFSv3? >>> >>> If your client is on the LAN and the server the WAN, you should be >>> fine with the built-in state management. If the NFSv3 server is >>> behind a firewall, good luck... :) (basically, you'd need to >>> configure your server to use static ports, which may not be possible >>> with your NAS). >>> >> >> My client is in LAN and the server is on OPT1 (another internal network). >> I could do that with my current CheckPoint FW-1, but I needed to allow all >> ports. >> >> > Ian pointed it already out....much fun... > > if: > all the clients need the NFS access, they should be in that subnet or the > server should be in the subnet of the clients. > then: > find a solution to get the data shared between the clients and the secured > service ( what was the reason why that NFS-Server stands in an DMZ ? ) > without to open the doors for the entire network. > Think about your conceptual design. :-) > endif: > > if: > only specific Clients need access > then: > Allow the traffic from specific ( if not all clients need access) > lan-clients to the NFS-Server. > > Secure up your server, make usage of the local files /etc/hosts.allow, > /etc/hosts.deny, cut of (deinstall them completely) all other services, > accept only DSA/RSA-Key authentication on SSHv2 and only v2. > a word in the documentation : WHY you made that this way. - would be a > good idea. > > Try to keep other Services far from that box. > endif: > > greetings > > m. > > if it must be NFS - lol: may be the simplest solution if the NFS-Server must be in a separate Subnet (DMZ) and all Clients needs access to it: Create a special SSH-Account on the NFS Server. This NFS-Account has a very restricted (at best no) shell, secure him up as ever possbile. create the Authentcation keys and allow only Key-Authentication. That account has write access to the filesystem share that you like to export via NFS.
Put a second Box in the internal network. This box make the NFS-Server for you. This box shares the SSH-Fuse-FS (SSHFS) Fileshare mounted from your initial server. for details please read the certain documentation. result is: only a SSH-Connection between internal net and your server. all clients connect, read/Write to the internal server. both reached. Easy FW-Management and secure NFS-Share. drawback: if another application related to the NFS-Server delivers the authentication credentials you have to manage that this gets applied to the new internal NFS-Server. VPN is a solution....ssh tunnel is like an vpn ;-) -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list