cswiger at mac.com
Fri Jun 15 18:11:55 UTC 2007
On Jun 15, 2007, at 12:27 AM, Jeremie Le Hen wrote:
> It appears nearly impossible to firewall a NFS server on FreeBSD.
Yes and no. It's quite easy to firewall NFS along with everything
else using a "default deny" ruleset. It's highly difficult to place
a restrictive firewall ruleset between an NFS server and legitimate
NFS clients, and, more relevantly, it's an open question as to
whether it is useful (ie, results in a noticeable benefit to
security) to try.
The primary purpose of a firewall is to restrict traffic between
machines or subnets which are in different trust domains, but you'd
darn well better be willing to trust the NFS clients which you intend
to connect to your NFS server to access the data on that NFS server,
or else you shouldn't be letting them connect via NFS at all. This
is because NFS is, by-and-large, unsecurable to a knowledgeable
attacker who has NFS client access anyway, or even just the ability
to see and inject packets into the same subnet that either the client
or server is on.
This is less true if NFSv4 via SecureRPC is involved, but otherwise a
simple MitM attack via ARP-cache poisoning or similar will get the
attacker quite far...
More information about the freebsd-net