"Steven M. Bellovin" <smb@cs.columbia.edu> writes:
> I have some machines with two Ethernet interfaces.  I'd like to run an NFS
> server, but I want to restrict it to access via just one of the two
> interfaces.  I don't see any easy way to do that.
>
> An obvious approach is to use pf or ipf, but that doesn't play well with
> portmapper.  

I've always wondered why NFS et al didn't allow you to specify
the interface to bind to too.

I've been running this following pf ruleset for years.  It is
basically a block-all, with a explicit holes for trusted services and
trusted interfaces.  The keep-state on incoming connections is just an
efficiency hack.  The keep-state on outgoing connections is what
allows the return packets back in.

Suggestions / comments welcome.  I suppose posting this is a good way
to see if I've messed up anything. ;-)

-wolfgang


###############################################################################
##									     ##
##	File:     pf.conf						     ##
##	Author:   Wolfgang S. Rupprecht                                      ##
##	Created:  Sat Apr 17 09:54:05 PDT 2004				     ##
##	Contents: pf version of our packet filter rules                      ##
##									     ##
##	$Id: pf.conf,v 1.10 2006/01/19 06:25:39 wolfgang Exp $
###############################################################################

# test:
# pfctl -ng -f /etc/pf.conf
#
# run:
# pfctl -e -Frules -f /etc/pf.conf

# reread: 
# pfctl -Frules -F nat -f /etc/pf.conf ; spamwatcher.rc

#
# to add a host to the blocked list:
# pfctl -q -t spam -T add 10.1.2.3
#

# Note: last match rules and "quick" ends evaluation

# Rules must be in order: options, normalization, queueing,
# translation, filtering

public_if="sk1"
intern_if="sk0"

#
# Normalization
#

# cleanup any funny business.  Drop screwy packets from outside.
scrub in on $public_if

#
# Filtering
#

# default: block everything
block return log

# allow local packets to travel unimpeded.
pass quick on lo0                                 keep state

# No localhost spoofing
block quick log from 127.0.0.0/8
block quick log from ::1

# efficiency hack: don't filter inside interface
pass quick on $intern_if                          keep state

# No wsrcc network spoofing
block quick log from 10.1.2.0/24

# Load our spammer / hardcore IP-pest file.
table <spam> persist file "/etc/pf-hardcore"
block return quick log from <spam>

# allow ipv6 encapulated packets on public_if (for tunneling)
# we will later filter them on gif0 to remove harmful packets.
pass quick on $public_if proto ipv6               keep state # proto 41

# allow the tunneled protocols that will be filtered later 
pass quick proto esp                              keep state
pass quick proto ah                               keep state
pass quick proto icmp                             keep state
pass quick proto icmp6                            keep state

# allow all traffic to multicast addresses in.  Perhaps I'll regret this.
pass to 224.0.0.0/4				  keep state

# well known tcp servers
pass in proto tcp to port = ssh      flags S/SAFR keep state  # 22
pass in proto tcp to port = smtp     flags S/SAFR keep state  # 25
pass in proto tcp to port = domain   flags S/SAFR keep state  # 53
pass in proto tcp to port = www      flags S/SAFR keep state  # 80
pass in proto tcp to port = auth     flags S/SAFR keep state  # 113
pass in proto tcp to port = ripng    flags S/SAFR keep state  # 521

# known udp servers
pass in proto udp to port = domain                keep state  # 53
pass in proto udp to port = ntp                   keep state  # 123
pass in proto udp to port = isakmp                keep state  # 500
pass in proto udp to port = ripng                 keep state  # 521

# allow outgoing connections, keep state for return packets.
pass out proto tcp                   flags S/SAFR keep state
pass out proto udp                                keep state

#
# end
#

-- 
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/