On Oct 9, 2006, at 10:37 AM, Steven M. Bellovin wrote:
> On Mon, 9 Oct 2006 10:21:57 -0700, Chuck Swiger <cswiger@mac.com>  
> wrote:
>> With regard to NFS and RFC services involving portmap, please
>> understand that these services predated the notions of network
>> security and firewalls needed today, and that these services are
>> basically completely insecure.
>
> Given how long I've been working on network security and firewalls --
> close to 20 years -- I think I understand that *very* well.  (I also
> understand that many modern protocols aren't really any better, but  
> that's
> a separate rant.)

I've seen a post or two from you on Bugtraq, firewall-wizards and  
elsewhere, agreed; but your question about "default deny" surprised  
me enough to discard prior assumptions about any specific level of  
knowledge you might have.  More to the point, other readers of this  
mailing list are going to have a wide range of knowledge and might  
benefit from understanding the intrinsic lack of security found in  
NFS/portmap/etc.

>> It is not prudent or advisable to try
>> to combine routing/firewall functionality and filesharing on the same
>> machine; if your multihomed system is being used to route or NAT
>> traffic, then, if at all possible, you should not configure it to
>> operate as a fileserver as well.
>>
> Who said anything about routing, firewalls, or NAT?  Not I.

You stated that you had a multihomed machine which you wanted to use  
for filesharing but over only one interface.  You also stated "An  
obvious approach is to use pf or ipf....", which certainly appears to  
mean that you did say something something about using firewalls.

Or did someone else write Message-id:  
<20061009002448.c893eefd.smb@cs.columbia.edu>...?

> The situation is more like this.  I have several machines A, B, and C
> that are exposed to the Internet.  They also need to share files among
> themselves via NFS, on a separate LAN.  I want to make sure that nasty
> packets don't get to the NFS-related services on these machines.

I would not want to run NFS filesharing on an machine directly  
connected to the Internet without having a firewall in the way.

> I could, I suppose, create machine D, which is only on the back end  
> LAN; it
> could be the common file server.  For various reasons, that's not an
> ideal solution, though I may resort to it.

That's probably the best solution in terms of security, however.

> It also leaves open the question of keeping fake responses away  
> from the NFS clients on A, B, and C.

Use a firewall to block IP loose and strict source routing, as well  
as the (presumably) RFC-1918 subnet being used for your LAN, so that  
traffic on your internal LAN cannot be spoofed from outside.

-- 
-Chuck