Subject: Re: restricting NFS (and associated services) to one IP address
To: None <netbsd-users@netbsd.org>
From: Wolfgang S. Rupprecht <wolfgang+gnus200610@dailyplanet.dontspam.wsrcc.com>
List: netbsd-users
Date: 10/09/2006 10:58:22
"Steven M. Bellovin" <smb@cs.columbia.edu> writes:
> I have some machines with two Ethernet interfaces. I'd like to run an NFS
> server, but I want to restrict it to access via just one of the two
> interfaces. I don't see any easy way to do that.
>
> An obvious approach is to use pf or ipf, but that doesn't play well with
> portmapper.
I've always wondered why NFS et al didn't allow you to specify
the interface to bind to too.
I've been running this following pf ruleset for years. It is
basically a block-all, with a explicit holes for trusted services and
trusted interfaces. The keep-state on incoming connections is just an
efficiency hack. The keep-state on outgoing connections is what
allows the return packets back in.
Suggestions / comments welcome. I suppose posting this is a good way
to see if I've messed up anything. ;-)
-wolfgang
###############################################################################
## ##
## File: pf.conf ##
## Author: Wolfgang S. Rupprecht ##
## Created: Sat Apr 17 09:54:05 PDT 2004 ##
## Contents: pf version of our packet filter rules ##
## ##
## $Id: pf.conf,v 1.10 2006/01/19 06:25:39 wolfgang Exp $
###############################################################################
# test:
# pfctl -ng -f /etc/pf.conf
#
# run:
# pfctl -e -Frules -f /etc/pf.conf
# reread:
# pfctl -Frules -F nat -f /etc/pf.conf ; spamwatcher.rc
#
# to add a host to the blocked list:
# pfctl -q -t spam -T add 10.1.2.3
#
# Note: last match rules and "quick" ends evaluation
# Rules must be in order: options, normalization, queueing,
# translation, filtering
public_if="sk1"
intern_if="sk0"
#
# Normalization
#
# cleanup any funny business. Drop screwy packets from outside.
scrub in on $public_if
#
# Filtering
#
# default: block everything
block return log
# allow local packets to travel unimpeded.
pass quick on lo0 keep state
# No localhost spoofing
block quick log from 127.0.0.0/8
block quick log from ::1
# efficiency hack: don't filter inside interface
pass quick on $intern_if keep state
# No wsrcc network spoofing
block quick log from 10.1.2.0/24
# Load our spammer / hardcore IP-pest file.
table <spam> persist file "/etc/pf-hardcore"
block return quick log from <spam>
# allow ipv6 encapulated packets on public_if (for tunneling)
# we will later filter them on gif0 to remove harmful packets.
pass quick on $public_if proto ipv6 keep state # proto 41
# allow the tunneled protocols that will be filtered later
pass quick proto esp keep state
pass quick proto ah keep state
pass quick proto icmp keep state
pass quick proto icmp6 keep state
# allow all traffic to multicast addresses in. Perhaps I'll regret this.
pass to 224.0.0.0/4 keep state
# well known tcp servers
pass in proto tcp to port = ssh flags S/SAFR keep state # 22
pass in proto tcp to port = smtp flags S/SAFR keep state # 25
pass in proto tcp to port = domain flags S/SAFR keep state # 53
pass in proto tcp to port = www flags S/SAFR keep state # 80
pass in proto tcp to port = auth flags S/SAFR keep state # 113
pass in proto tcp to port = ripng flags S/SAFR keep state # 521
# known udp servers
pass in proto udp to port = domain keep state # 53
pass in proto udp to port = ntp keep state # 123
pass in proto udp to port = isakmp keep state # 500
pass in proto udp to port = ripng keep state # 521
# allow outgoing connections, keep state for return packets.
pass out proto tcp flags S/SAFR keep state
pass out proto udp keep state
#
# end
#
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/