[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NFS and IP filters



On Tue, 17 Aug 1999, Adam Morrison wrote:

> If neither is available, you'll have to resort to non robust
> solutions, such as countingon the port number being the same across
> reboots, or opening up a port range.

It just occured to me that one could run a script immediately after the
portmapper and the rpc services are up to create a dynamic firewalls
ruleset.

for example:

rpcinfo -p 127.1|egrep rpcbind\|mountd |
awk '{print "A:input:ACCEPT:j:p:"$3":allowed network/host:your host "$4":"}'

would create something like:

A:input:ACCEPT:j:p:tcp:allowed network/host:your host 111:
A:input:ACCEPT:j:p:udp:allowed network/host:your host 111:
A:input:ACCEPT:j:p:udp:allowed network/host:your host portnum:
A:input:ACCEPT:j:p:udp:allowed network/host:your host portnum:
A:input:ACCEPT:j:p:tcp:allowed network/host:your host portnum:
A:input:ACCEPT:j:p:tcp:allowed network/host:your host portnum:

Then, using a list of networks/hosts you wish to allow access to your
exported nfs directories, you can create a dynamic ruleset each time you
boot.

I use a certain modified version of this:

I have attached /etc/rc.d/init.d/ipfw and /etc/rc.d/init.d/ipchains

Here is a sample ruleset from the /etc/ipfw.accl file (that's the name of
my ruleset file):

A:input:j:ACCEPT:p:tcp:xxx.yyy.zzz.0/24:xxx.yyy.zzz.www 22:
A:input:j:REJECT:p:tcp:0.0.0.0/0:xxx.yyy.zzz.www 22:

Now, assuming you have a static ruleset, you concatenate the ruleset from
that awk command I did above at the beginning of the ruleset file before
running /etc/rc.d/init.d/ipfw start


Bug me for more details.

> 
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
> 

--
Ariel Biener
e-mail: ariel@post.tau.ac.il           Work phone: 03-640608
fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC
#!/bin/sh
#

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

[ -f /sbin/ipchains ] || exit 0
 
ACCL=/etc/ipfw.accl
export ACCL

# See how we were called.
case "$1" in
  start)
        # Start daemons.
	/etc/rc.d/init.d/ipchains onboot
	;;
  stop)
	# Stop daemons.
	/sbin/ipchains -F input
	;;
  restart)
	$0 stop
	$0 start
	;;
  *)
	echo "Usage: ipfw {start|stop|restart}"
	exit 1
esac

exit 0

#!/bin/sh

ACCL=/etc/ipfw.accl
export ACCL
/sbin/ipchains -F

if [ -s $ACCL ]; then
	cat $ACCL|grep -v "#"|grep ":"|
	awk -F":" '{print "/sbin/ipchains -"$1" "$2" -"$3" "$4" -"$5" "$6" -s "$7" -d "$8}'|sh
fi

if [ X$1 = Xonboot ]; then
   echo
   echo "Current set FireWall rules:" 
   echo
   /sbin/ipchains -L input
   echo
fi