How to run an NFS server without opening almost all ports available.
If memory serves me right, I asked about this very topic in here, years
ago. Without success, cause most involved services use random ports by
default, particularly statd, lockd, mountd, rquotad. Which leads to
somewhat unsatisfying rules as shown in [1].
A couple of months ago I finally did some reading and a lot of
searching, and was able to actually pin down these servers to allow for
cleaner and more secure firewall rules. (Remember though, we are
speaking about NFS...)
The action.AllowNFS I use since is attached. Comments are inline, for my
own convenience -- and now for yours.
A great resource to read about *how* to actually pin down these services
before you can use the rules is [2] (which of course is mentioned in the
Action). For more info about how to use and create your own Actions
please see the fine Shorewall Documentation at [3].
FWIW, even with the new Macro feature in Shorewall 3.0 it is my
understanding, that an Action should be better suited for this kind of
complex rules. Any given packet is checked against the parts of the
rule, that are present in the "rules" file and directed to the Actions
chain only if it matches, whereas a Macro would be expanded inline and
thus result in at least 6 rules to check the packet against -- for any
occurrence of the AllowNFS Action.
Hope you enjoy this Action...
-Karsten
[1] http://shorewall.net/ports.htm#id2460104
[2] http://www.lowth.com/LinWiz/ , Server Firewall, NFS Help
[3] http://shorewall.net/Actions.html
--
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
<http://www.catb.org/~esr/faqs/smart-questions.html>
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
<http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>