Yum, FTP, NFS & Internal Firewall

Charles Curley charlescurley at charlescurley.com
Fri Jun 17 07:34:12 MDT 2005


On Thu, Jun 16, 2005 at 09:36:18PM -0600, Michael Torrie wrote:
> On Thu, 2005-06-16 at 19:26 -0600, Charles Curley wrote:
> > I seem to have a firewall problem. I recently added some 802.11g
> > equipment to my home network, so I thought it would be a good idea to
> > tighten up the firewalls on the computers on the home network.
> > 
> > If I use system-config-securitylevel to set up a minimum firewall,
> > allowing only SSH, FTP and DNS, DNS works fine. ncftp simply falls
> > back to port instead of passive mode, and continues to work. Yum fails
> > as follows:

Add another item to the senario: Amanda also uses FTP. Another reason
to get FTP working.

> 
> I'm a little confused.  What machine is running the firewall?  The
> client or the server?  

Server.

> If the firewall is on the server, you'll have to write a script that
> queries the local portmap port to find out what port NFS is running
> on (which will be a UDP port) and then punch that through the
> firewall.

Or else assign it a known port, as the docs Gabriel pointed to suggest.

Is NFS always UDP? I thought it could be either UDP or TCP.

> > 
> > Any ideas on how to get yum and NFS working?
> 
> For getting ftp through a firewall to the outside world, you'll want to
> insert the ip_conntrack_ftp module.  That will enable passive and port
> ftp (whatever it is called) to function properly.

Already in place.

> 
> Please tell us more about your setup.  Which machine runs a firewall and
> why, which machine is your internet gateway.

The server, and because I have some 802.11g equipment and decided to
be paranoid on this issue. The internet gateway is a third machine
which I don't think relevant to this problem.

> 
> On my firewall, I hang the wireless AP off a third NIC with a different
> subnet than my wired lan.  That way I can pretty much allow wired stuff
> to go on as normal (nfs, smb, etc), but prevent the wireless from using
> the less secure services.  

Generally a good idea. Unfortunately, the client machine is on the
other side of a wireless link.

> Also bear in mind that simply securing your running services is a
> whole lot better than a firewall as a firewall doesn't protect
> running services anyway.

Right, always a good idea.

> Also, rather than using nfs over an insecure (wireless) network,
> consider using smb or something that's at least authenticated.
> These days samba supports full unix file semantics between unix
> hosts including sym and hardlinks, special files, permissions, etc.
> it could replace nfs in some circumstances.

Unfortunately, one use for NFS is Fedora Core installations. I forget
what all the options are, but I don't think SMB is among them. And SMB
has its own firewall and security nightmares. And in this case, the
NFS mounts are RO and GPLled data anyway, so let a bad guy snarf them.


-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050617/a95e9c01/attachment.bin 


More information about the PLUG mailing list