Yum, FTP, NFS & Internal Firewall

Michael Torrie torriem at chem.byu.edu
Thu Jun 16 21:36:18 MDT 2005

On Thu, 2005-06-16 at 19:26 -0600, Charles Curley wrote:
> I seem to have a firewall problem. I recently added some 802.11g
> equpitment to my home network, so I thought it would be a good idea to
> tighten up the firewalls on the computers on the home network.
> If I use system-config-securitylevel to set up a minimum firewall,
> allowing only SSH, FTP and DNS, DNS works fine. ncftp simply falls
> back to port instead of passive mode, and continues to work. Yum fails
> as follows:

I'm a little confused.  What machine is running the firewall?  The
client or the server?  If the firewall is on the server, you'll have to
write a script that queries the local portmap port to find out what port
NFS is running on (which will be a UDP port) and then punch that through
the firewall.  If the firewall is on the client, then no special work
should be needed stuff will just go out (according to your rules) and
the state table will let the return traffic back in.  In my experience
this works for tcp, udp and icmp (which is better than cisco pix which
treats icmp completely stateless).
> Any ideas on how to get yum and NFS working?

For getting ftp through a firewall to the outside world, you'll want to
insert the ip_conntrack_ftp module.  That will enable passive and port
ftp (whatever it is called) to function properly.

Please tell us more about your setup.  Which machine runs a firewall and
why, which machine is your internet gateway.

On my firewall, I hang the wireless AP off a third NIC with a different
subnet than my wired lan.  That way I can pretty much allow wired stuff
to go on as normal (nfs, smb, etc), but prevent the wireless from using
the less secure services.  Also bear in mind that simply securing your
running services is a whole lot better than a firewall as a firewall
doesn't protect running services anyway.  Also, rather than using nfs
over an insecure (wireless) network, consider using smb or something
that's at least authenticated.  These days samba supports full unix file
semantics between unix hosts including sym and hardlinks, special files,
permissions, etc.  it could replace nfs in some circumstances.


> .===================================.
> | This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> |  IRC: #utah at irc.freenode.net   |
> `==================================='
Michael Torrie <torriem at chem.byu.edu>

More information about the PLUG mailing list