Re: securing a network with nfs

From: Corey Steele (CSteele@good-sam.com)
Date: 08/13/01


Message-Id: <sb778732.013@gwmail3.corp.good-sam.com>
Date: Mon, 13 Aug 2001 07:51:57 -0500
From: "Corey Steele" <CSteele@good-sam.com>
To: "<" <focus-linux@securityfocus.org>
Subject: Re: securing a network with nfs

I would see the following as being ideal for your situation...

     (internet)
         |
      [router]
         |
      [firewall]--(DMZ)
         |
    (private LAN)

The firewall has two interfaces, one to the DMZ, and one to the private LAN.

The DMZ should be configured with IP forwarding and packet filtering, so mail trafic and web, etc. all make it through the firewall unmolested, but requests to your NFS servers don't... of course, this only protects you at the service level. You can configure NFS a little more securly too, by:
1) use the noexec and nosuid options on all exported filesystems on the NFS server.
2) use only IPs in /etc/exports
3) read http://www.openbsd.org/faq/faq6.html#6.7; its not OpenBSD specific, but it does a really good job touching on NFS security.

The private LAN interface should be configured with NAT and stateful packet filtering to hide all your inside machines.

If your backup solution is network-based and thus would need to be able to contact the NFS server directly, then you could setup a static rule to permit that through your firewall.

Best Regards,
Corey

<<<< This is in reply to a post by David Johnson which said.... >>>>

As my small isp expands, we need to move to a centralized file storage
point (easier backups; also, if the mail server goes down, I want to be
able to toss on another box quick without having to grab the files from
the old server or backups of it; this can also lead to multiple
mailservers receiving at different priorities). The obvious solution is
NFS. But to run an NFS box out open on the net, not in a dmz, is rather
dangerous IMO. And setting up one firewall to hide all boxes behind is
hard to do (especially with ftp), and it's a choke point.

Corey J. Steele, Security Analyst
Good Samaritan Society
e-mail: csteele@good-sam.com
voice: (605) 362-3899



Relevant Pages

  • Re: [SLE] Suse 9.3: NFS blocked by firewall
    ... > is blockec from serving clients by its firewall. ... > Open port in firewall option selected. ... > and the Allowed services include NFS client and NFS server. ...
    (SuSE)
  • Re: welche server-dienste gibt es noch?
    ... Und natürlich den LanManager/LanServer/peerdienste. ... Bei neueren Versionen sind DDNS, DHCP und NFS ... Eine entsprechende Firewall ...
    (de.comp.os.os2.networking)
  • Re: Linux Home Server HOWTO - Open For Review
    ... In the SSH section - I highly recommend disabling protocol 1, ... Creating and using an nfs exported installation image for installs. ... So iptables rules can be designed accordingly. ... By the way I believe in a stateful firewall the inquiries initiated by ...
    (Fedora)
  • Re: Firewall and NFS
    ... > What firewall ports do I open to allow NFS access from anywhere? ... With Mandrake 10.0, by default, the NFS server chooses one ...
    (comp.os.linux.misc)
  • Re: Export NFS through firewall
    ... I use the administrator menu firewall and SELINUX and checked off the ... NFS item. ... server firewall to allow clients to talk to nfs and portmap, ... ports, which the firewall couldn't care less about. ...
    (Fedora)