ZLOnix
Junior Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Добрый день.
Проблема: правила ipfw которые надо добавить чтобы бесперебойно работал NFS (клиент). Методом "научного тыка" я пришёл к таким выводам:
Цитата: eternity:/usr/local/etc/$ cat firewall.conf
#!/bin/sh
ipfw zero
ipfw resetlog
ipfw -q -f flush
fwcmd="/sbin/ipfw -q add"
${fwcmd} allow ip from any to any via lo0 # Allow anything via loopback interface
${fwcmd} count ip from any to me via fxp0 # Count incomming traffic from Onet
${fwcmd} count ip from me to any via fxp0 # Count outgoing traffic to Onet
${fwcmd} count ip from any to me via tun0 # Count incomming internet traffic
${fwcmd} count ip from me to any via tun0 # Count outgoing internet traffic
${fwcmd} deny log ip from 192.168.0.0/16 to me # RFC 1918 private IP
${fwcmd} deny log ip from 10.0.0.0/8 to me via tun0 # RFC 1918 priavateIP (only via tun device)
${fwcmd} deny log ip from 172.16.0.0/12 to me via tun0 # RFC 1918 private IP (only via tun device)
${fwcmd} deny log ip from 127.0.0.0/8 to me # loopback
${fwcmd} deny log ip from 0.0.0.0/8 to me # loopback
${fwcmd} deny log ip from 169.254.0.0/16 to me # DHCP auto-config
${fwcmd} deny log ip from 192.0.2.0/24 to me # Reserved for docs
${fwcmd} deny log ip from 204.152.64.0/23 to me # Sun cluster interconnect
${fwcmd} deny log ip from 224.0.0.0/3 to me # Class D & E multicast
${fwcmd} check-state # Check dynamic rules
${fwcmd} unreach host log icmp from any to me icmptypes 8,13,15,17 # echo, timestamp, information, address mask requests
${fwcmd} allow icmp from any to any # Allow any other ICMPs
${fwcmd} allow udp from me to any dst-port 111 keep-state #
${fwcmd} allow udp from any to me src-port 111 keep-state #
${fwcmd} allow udp from me to any dst-port 1022 keep-state # NFS related things
${fwcmd} allow udp from any to me src-port 1022 keep-state #
${fwcmd} allow ip from 10.0.0.132 to me frag #
${fwcmd} allow ip from me to any dst-port 2049 keep-state #
${fwcmd} allow udp from me to 10.0.0.131 dst-port 123 keep-state # Network time protocol
${fwcmd} allow udp from me to 10.0.0.130 dst-port 53 keep-state # Outgoing dns queries
${fwcmd} allow 47 from 10.0.0.130 to me keep-state # Allow incomming 47th protocol (GRE?)
${fwcmd} allow 47 from me to 10.0.0.130 keep-state # Allow outgoing 47th protocol (GRE?)
${fwcmd} allow tcp from me to 10.0.0.130 dst-port 1723 keep-state # VPN
${fwcmd} allow tcp from me to any dst-port 22,80,113,443,2401,5999,6667 keep-state # SSH, Web, SSL'ed Web, CVS, NFS, CVSup, IRC
${fwcmd} allow tcp from me to 213.85.10.5 dst-port 25,110 via tun0 keep-state # SMTP & POP3
${fwcmd} allow tcp from me to 10.0.0.131 dst-port 5222 keep-state # Jabber
${fwcmd} allow tcp from me to any dst-port 21 keep-state # Outgoing ftp queries
${fwcmd} allow tcp from any to me src-port 20 keep-state # Incoming ftp data |
Как видно в одном из правил я разрешаю проход фрагментированных пакетов от NFS сервера ко мне, но что будет если я захочу примонтировать раздел с другого компьютера? Придётся снова модифицировать правила firewall'a, с другой стороны, можно было бы добавить "allow ip from any to any frag", но так мой компьютер сможет быть подвержен сканированию каким-нибудь nmap-подобным сканером с опцией фрагментации пакетов для прохода через роутер. Возможно существуют какие-нибудь другие способы разрешения монтирования NFS разделов?
Спасибо. |
