Re: NFS daemon port numbers for firewall config

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>> Am I missing any existing way to do this?

> Sort of. 

> Some firewall implementations can be extended with code that parses
> the allowed traffic in order to open up more ports.  The traditional
> example is active FTP where the control port is well known while the
> data port is random [and goes the "wrong" way].

> You could have a portmapper application in your firewall that
> dynamically opens RPC ports when it sees permitted portmapper traffic
> listing those ports.  Getting this right will require thought and
> attention to detail.

It also requires that you take a default-deny approach to firewalling,
rather than blocking off things you specifically want inaccessible.
If you default-accept, then anyone can find the dynamic ports used by
the likes of mountd by simply scanning the ephemeral port range,
bypassing the portmapper entirely.

And, as I read the post, the desire is to default accept, but block off
things like NFS.

However, except for CALLIT, you can block a few ports, like NFS, and
let it go at that; it doesn't matter much if someone can talk to your
mountd and get a filehandle for a filesystem root when they can't do
anything with the resulting filehandle.  (I don't remember enough
SunRPC details to comment on CALLIT.  I _think_ it is useless if port
111 is blocked, but I wouldn't trust my systems' security to that
memory without checking it out first.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B