pf blocking nfs

Chuck Swiger cswiger at mac.com
Wed Nov 30 03:33:44 GMT 2005


Aaron P. Martinez wrote:
[ ... ]
> Actually my network looks like this:
> 
> INT---firewall------internal router/firewall---------good lan
>         |                        |
>         |                        |---------insecure lan (windoze machines)
>         |
>         |----DMZ
> 
> the good lan is the only one that does nfs, so the nfs doesn't actually
> pass through the firewall, just connects to the internal router/firewall. 
> I am simply trying to avoid a worst case scenario (internal router gets
> compromised) so trying to allow ONLY return packets.  Is this unfeasable?

I take it that your internal firewall box has three NICs, then?

Normally, your firewall should not be doing anything else but security
and would not be mounting NFS or depending on any other services on your
network.  If that is not possible, you should permit traffic through the
interface on the "good LAN".

-- 
-Chuck




More information about the freebsd-questions mailing list