Re: How to configure npf to restrict nfs to localhost

To: netbsd-users <netbsd-users%netbsd.org@localhost>
Subject: Re: How to configure npf to restrict nfs to localhost
From: Paul Ripke <stix%stix.id.au@localhost>
Date: Mon, 29 Jun 2020 16:13:20 +1000

On Mon, Jun 29, 2020 at 11:26:37AM +0530, Mayuresh wrote:
> On Mon, Jun 29, 2020 at 10:00:06AM +0530, Mayuresh wrote:
> > Any hints for how to block these ports for outside world and keep open for
> > localhost?
> 
> Tried:
> 
> group "external" on $ext_if {
>     ...
>     block final to any port 111
>     block final to any port 2049
>     ...
> 
> 
> This kind of works. I can telnet to the port from localhost. From outside
> it doesn't say connection refused, it just hangs instead. Obviously I am
> missing something.

fwiw, my default npf blocks are:

...
procedure "log" { log: npflog0 }

block return-rst in final proto tcp flags S/SA all apply "log"
block in final all apply "log"
...

so I'm returning reset and logging.

-- 
Paul Ripke
"Great minds discuss ideas, average minds discuss events, small minds
 discuss people."
-- Disputed: Often attributed to Eleanor Roosevelt. 1948.

References:
- How to configure npf to restrict nfs to localhost
  - From: Mayuresh
- Re: How to configure npf to restrict nfs to localhost
  - From: Mayuresh

Prev by Date: Re: How to configure npf to restrict nfs to localhost
Next by Date: pkg_admin usage
Previous by Thread: Re: How to configure npf to restrict nfs to localhost
Next by Thread: Re: How to configure npf to restrict nfs to localhost
Indexes:

Home | Main Index | Thread Index | Old Index