Firewalling NFS

[Chuck Swiger]

On Jun 15, 2007, at 12:27 AM, Jeremie Le Hen wrote:
> It appears nearly impossible to firewall a NFS server on FreeBSD.

Yes and no.  It's quite easy to firewall NFS along with everything  
else using a "default deny" ruleset.  It's highly difficult to place  
a restrictive firewall ruleset between an NFS server and legitimate  
NFS clients, and, more relevantly, it's an open question as to  
whether it is useful (ie, results in a noticeable benefit to  
security) to try.

The primary purpose of a firewall is to restrict traffic between  
machines or subnets which are in different trust domains, but you'd  
darn well better be willing to trust the NFS clients which you intend  
to connect to your NFS server to access the data on that NFS server,  
or else you shouldn't be letting them connect via NFS at all.  This  
is because NFS is, by-and-large, unsecurable to a knowledgeable  
attacker who has NFS client access anyway, or even just the ability  
to see and inject packets into the same subnet that either the client  
or server is on.

This is less true if NFSv4 via SecureRPC is involved, but otherwise a  
simple MitM attack via ARP-cache poisoning or similar will get the  
attacker quite far...

-- 
-Chuck