[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NFS and IP filters
On Tue, 17 Aug 1999, Adam Morrison wrote:
> If neither is available, you'll have to resort to non robust
> solutions, such as countingon the port number being the same across
> reboots, or opening up a port range.
It just occured to me that one could run a script immediately after the
portmapper and the rpc services are up to create a dynamic firewalls
ruleset.
for example:
rpcinfo -p 127.1|egrep rpcbind\|mountd |
awk '{print "A:input:ACCEPT:j:p:"$3":allowed network/host:your host "$4":"}'
would create something like:
A:input:ACCEPT:j:p:tcp:allowed network/host:your host 111:
A:input:ACCEPT:j:p:udp:allowed network/host:your host 111:
A:input:ACCEPT:j:p:udp:allowed network/host:your host portnum:
A:input:ACCEPT:j:p:udp:allowed network/host:your host portnum:
A:input:ACCEPT:j:p:tcp:allowed network/host:your host portnum:
A:input:ACCEPT:j:p:tcp:allowed network/host:your host portnum:
Then, using a list of networks/hosts you wish to allow access to your
exported nfs directories, you can create a dynamic ruleset each time you
boot.
I use a certain modified version of this:
I have attached /etc/rc.d/init.d/ipfw and /etc/rc.d/init.d/ipchains
Here is a sample ruleset from the /etc/ipfw.accl file (that's the name of
my ruleset file):
A:input:j:ACCEPT:p:tcp:xxx.yyy.zzz.0/24:xxx.yyy.zzz.www 22:
A:input:j:REJECT:p:tcp:0.0.0.0/0:xxx.yyy.zzz.www 22:
Now, assuming you have a static ruleset, you concatenate the ruleset from
that awk command I did above at the beginning of the ruleset file before
running /etc/rc.d/init.d/ipfw start
Bug me for more details.
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
--
Ariel Biener
e-mail: ariel@post.tau.ac.il Work phone: 03-640608
fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC
#!/bin/sh
#
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
[ -f /sbin/ipchains ] || exit 0
ACCL=/etc/ipfw.accl
export ACCL
# See how we were called.
case "$1" in
start)
# Start daemons.
/etc/rc.d/init.d/ipchains onboot
;;
stop)
# Stop daemons.
/sbin/ipchains -F input
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: ipfw {start|stop|restart}"
exit 1
esac
exit 0
#!/bin/sh
ACCL=/etc/ipfw.accl
export ACCL
/sbin/ipchains -F
if [ -s $ACCL ]; then
cat $ACCL|grep -v "#"|grep ":"|
awk -F":" '{print "/sbin/ipchains -"$1" "$2" -"$3" "$4" -"$5" "$6" -s "$7" -d "$8}'|sh
fi
if [ X$1 = Xonboot ]; then
echo
echo "Current set FireWall rules:"
echo
/sbin/ipchains -L input
echo
fi