Yum, FTP, NFS & Internal Firewall
charlescurley at charlescurley.com
Fri Jun 17 07:34:12 MDT 2005
On Thu, Jun 16, 2005 at 09:36:18PM -0600, Michael Torrie wrote:
> On Thu, 2005-06-16 at 19:26 -0600, Charles Curley wrote:
> > I seem to have a firewall problem. I recently added some 802.11g
> > equipment to my home network, so I thought it would be a good idea to
> > tighten up the firewalls on the computers on the home network.
> > If I use system-config-securitylevel to set up a minimum firewall,
> > allowing only SSH, FTP and DNS, DNS works fine. ncftp simply falls
> > back to port instead of passive mode, and continues to work. Yum fails
> > as follows:
Add another item to the senario: Amanda also uses FTP. Another reason
to get FTP working.
> I'm a little confused. What machine is running the firewall? The
> client or the server?
> If the firewall is on the server, you'll have to write a script that
> queries the local portmap port to find out what port NFS is running
> on (which will be a UDP port) and then punch that through the
Or else assign it a known port, as the docs Gabriel pointed to suggest.
Is NFS always UDP? I thought it could be either UDP or TCP.
> > Any ideas on how to get yum and NFS working?
> For getting ftp through a firewall to the outside world, you'll want to
> insert the ip_conntrack_ftp module. That will enable passive and port
> ftp (whatever it is called) to function properly.
Already in place.
> Please tell us more about your setup. Which machine runs a firewall and
> why, which machine is your internet gateway.
The server, and because I have some 802.11g equipment and decided to
be paranoid on this issue. The internet gateway is a third machine
which I don't think relevant to this problem.
> On my firewall, I hang the wireless AP off a third NIC with a different
> subnet than my wired lan. That way I can pretty much allow wired stuff
> to go on as normal (nfs, smb, etc), but prevent the wireless from using
> the less secure services.
Generally a good idea. Unfortunately, the client machine is on the
other side of a wireless link.
> Also bear in mind that simply securing your running services is a
> whole lot better than a firewall as a firewall doesn't protect
> running services anyway.
Right, always a good idea.
> Also, rather than using nfs over an insecure (wireless) network,
> consider using smb or something that's at least authenticated.
> These days samba supports full unix file semantics between unix
> hosts including sym and hardlinks, special files, permissions, etc.
> it could replace nfs in some circumstances.
Unfortunately, one use for NFS is Fedora Core installations. I forget
what all the options are, but I don't think SMB is among them. And SMB
has its own firewall and security nightmares. And in this case, the
NFS mounts are RO and GPLled data anyway, so let a bad guy snarf them.
Charles Curley /"\ ASCII Ribbon Campaign
Looking for fine software \ / Respect for open standards
and/or writing? X No HTML/RTF in email
http://www.charlescurley.com / \ No M$ Word docs in email
Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050617/a95e9c01/attachment.bin
More information about the PLUG