pf blocking nfs
Chuck Swiger
cswiger at mac.com
Wed Nov 30 03:33:44 GMT 2005
Aaron P. Martinez wrote:
[ ... ]
> Actually my network looks like this:
>
> INT---firewall------internal router/firewall---------good lan
> | |
> | |---------insecure lan (windoze machines)
> |
> |----DMZ
>
> the good lan is the only one that does nfs, so the nfs doesn't actually
> pass through the firewall, just connects to the internal router/firewall.
> I am simply trying to avoid a worst case scenario (internal router gets
> compromised) so trying to allow ONLY return packets. Is this unfeasable?
I take it that your internal firewall box has three NICs, then?
Normally, your firewall should not be doing anything else but security
and would not be mounting NFS or depending on any other services on your
network. If that is not possible, you should permit traffic through the
interface on the "good LAN".
--
-Chuck
More information about the freebsd-questions
mailing list