Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NFS over TCP really working thru F/W ??

From: Bill_Royds () pch gc ca
Date: Mon, 17 Nov 1997 15:39:12 -0500

The NFS ports below are for older versions of NFS and it is the UDP port
that is used so many firewalls don't handle it well (and it is a security
risk simply because UDP doesn't maintain state).
The problem with modern NFS is that the ports are not static but assigned
by a portmapper process using an RFC call so ports are assigned dnamically.
This means that most firewalls can't readily handle it unless they have a
true NFS proxy. Most firewalls, even proxy based ones, use only packet
filtering for services that they don't have a proxy for and packet filters
need stateful port information to be at all secure.
  It might be better to run a VPN through the firewall to an encryption
server in front of your NFS machines. NFS is performance sensitive so it
would require a high  performance front-end to be effective.




ken () bridge com on 97-11-14 12:08:52 PM

Please respond to ken () bridge com

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  NFS over TCP really working thru F/W ??




I've searched the archives of the firewalls mailing list about getting
Solaris' NFS over TCP working through a firewall, but I've not seen anyone
discuss how to actually get this working.  Has anyone made this work?  Can
you provide a cookbook synopsis and tell what ports are really needed?
(Of course, >I< don't want to do this, but it's a necessity.  At least
it's not involving the public Internet.  Any pointers to white papers or
other discussions that convincingly ellucidate the evils of NFS that I
can show to other people?)

As for making it work, the closest I've seen in the archives is this:

From: "Mike O'Connor" <mjo () dojo mi org>
Date: Tue, 24 Jun 1997 13:10:48 -0400 (EDT)
Subject: NFS port numbers (fwd)

...
You'll want to do NFS over TCP instead of UDP.  NFS over TCP is supported
in Solaris 2.5.  At that point, the ports you have to worry about are:

nfsd            2049/udp        nfs             # NFS server daemon (clts)
nfsd            2049/tcp        nfs             # NFS server daemon (cots)
lockd           4045/udp                        # NFS lock daemon/manager
lockd           4045/tcp


And:


From: "William L. Hamlin" <whamlin () connetsys com>
Date: Tue, 24 Jun 1997 14:20:14 -0700 (PDT)
Subject: Re: NFS port numbers (fwd)

...
And don't forget about mountd, which opens up a whole different ballgame.
Previous By Date Next
Previous By Thread Next

Current thread: