ipf & NFS

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
stuart
Posts: 912
Joined: Mon Aug 23, 2004 5:37 pm
Location: Cambridge, UK
Contact:

ipf & NFS

Unread postby stuart » Wed Jan 25, 2006 2:43 am

I was asking this question on IRC last night, and though there were a few ideas, no-one could quite work out how to do it:

Is there any way for a host exporting NFS shares to also run IPFilter?

With ipf.conf set to block all, but opening ports 111 and 2049 still fails because the portmapper will assign a random privileged port for a client to connect to mountd. On most other OS, there seems to be a mechanism (the -p flag) to tie this service to a fixed port - but IRIX doesn't seem to have this.

It there some setting, tunable, or binary that I'm overlooking, or are IRIX firewalls and NFS shares just incompatible?

(Can I perhaps use ipfilterd instead - since it seem to have much more powerful rules, or will this just hit the same problem? What's really needed is a connection-tracking module for ipf/ipfilterd that can detect portmap responses, and dynamically open the given port for the recipient of the response)

Cheers,
Stuart

User avatar
foetz
Moderator
Moderator
Posts: 6591
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Wed Jan 25, 2006 10:56 am

i did it a few months ago but the performance was lousy so i turned it off again :D

User avatar
stuart
Posts: 912
Joined: Mon Aug 23, 2004 5:37 pm
Location: Cambridge, UK
Contact:

Unread postby stuart » Wed Jan 25, 2006 2:27 pm

foetz wrote:i did it a few months ago


Not to put too fine a point on it - but, erm, how?

User avatar
foetz
Moderator
Moderator
Posts: 6591
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Thu Jan 26, 2006 4:10 pm

stuart wrote:
foetz wrote:i did it a few months ago


Not to put too fine a point on it - but, erm, how?


i would have to recover the old config from a tape IF i happen to have a tape from then... :P
anyway it should work by using the 'keep state'(or similar) keyword.

User avatar
shel
Posts: 304
Joined: Fri Jan 13, 2006 11:25 am
Location: Uzes, France or Seattle, WA, USA

Re: ipf & NFS

Unread postby shel » Fri Jan 27, 2006 8:23 am

stuart wrote:I was asking this question on IRC last night, and though there were a few ideas, no-one could quite work out how to do it:

Is there any way for a host exporting NFS shares to also run IPFilter?


Sure. Just "pass in quick" and "pass out quick" all the packets from the machines (or subnets) you want to have NFS access.

My LAN is on the 192.168.0.0/16 subnet, so my ipf.conf has this right near the front:

#
# Local network
#
pass in quick from 192.168.0.0/16 to any keep state
pass out quick from any to 192.168.0.0/16 keep state
#

Works fine.

-Shel

User avatar
foetz
Moderator
Moderator
Posts: 6591
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipf & NFS

Unread postby foetz » Fri Jan 27, 2006 2:20 pm

shel wrote:
stuart wrote:I was asking this question on IRC last night, and though there were a few ideas, no-one could quite work out how to do it:

Is there any way for a host exporting NFS shares to also run IPFilter?


Sure. Just "pass in quick" and "pass out quick" all the packets from the machines (or subnets) you want to have NFS access.

My LAN is on the 192.168.0.0/16 subnet, so my ipf.conf has this right near the front:

#
# Local network
#
pass in quick from 192.168.0.0/16 to any keep state
pass out quick from any to 192.168.0.0/16 keep state
#

Works fine.

-Shel


hehe, that's the 'any' method.
i think stuart wanted it a bit closer.

User avatar
shel
Posts: 304
Joined: Fri Jan 13, 2006 11:25 am
Location: Uzes, France or Seattle, WA, USA

Re: ipf & NFS

Unread postby shel » Fri Jan 27, 2006 4:03 pm

foetz wrote:
shel wrote:
stuart wrote:I was asking this question on IRC last night, and though there were a few ideas, no-one could quite work out how to do it:

Is there any way for a host exporting NFS shares to also run IPFilter?


Sure. Just "pass in quick" and "pass out quick" all the packets from the machines (or subnets) you want to have NFS access.

My LAN is on the 192.168.0.0/16 subnet, so my ipf.conf has this right near the front:

#
# Local network
#
pass in quick from 192.168.0.0/16 to any keep state
pass out quick from any to 192.168.0.0/16 keep state
#

Works fine.

-Shel


hehe, that's the 'any' method.
i think stuart wanted it a bit closer.

Well, how close? He doesn't trust his own, presumably firewalled, local network? Or does he want to allow NFS shares over the Internet? It's tough to tell from the original posting.

If the portmapper's assigning random priviledged ports is the problem, well, that _is_ a problem for any sort of firewalling. I suppose when we need here in the NFS analogue to FTP's "passive" mode, but I have to admit that I have no idea how to achieve that.

OK, maybe one idea ... implement port knocking, and then open things, generally, to successful port-knockers. I do that for SSH access, since open SSH ports seem to attract attackers.

-Shel

User avatar
Alver
Posts: 773
Joined: Wed Dec 07, 2005 4:46 pm
Location: Wetteren, Belgium
Contact:

Unread postby Alver » Fri Jan 27, 2006 4:21 pm

You use port knocking for ssh? That's most interesting... perhaps something for a different thread, otherwise this one might go somewhat offtopic ;) I found the port knocking idea remarkable but never tried it, I don't run many services anyway (ircd and ssh only, and ssh is restricted to one single host... so I'm not really in need of it).
while (!asleep()) sheep++;

User avatar
stuart
Posts: 912
Joined: Mon Aug 23, 2004 5:37 pm
Location: Cambridge, UK
Contact:

Unread postby stuart » Fri Jan 27, 2006 4:43 pm

My Octane is installed at work, where we have a mixture of many different machines and OS'. As well as all of the IRIX/Solaris/Linux/HP-UX/AIX/etc. servers, we have all of the Sales peoples' Windows laptops - which tend to be spyware and virus infested to a scary degree.

We have a very flat network, so absolutely everything is on the same subnet.

Call me paranoid, but in this situation I'm working on the basis of blocking *everything*, and then only opening what is absolutely necessary.

Most other OS (certainly Linux and Solaris, and I belive the BSDs too) have the ability to tie mountd to a fixed port, which portmap will then always return. IRIX doesn't seem to have this (incredibly useful) feature, though :(

User avatar
Alver
Posts: 773
Joined: Wed Dec 07, 2005 4:46 pm
Location: Wetteren, Belgium
Contact:

Unread postby Alver » Sat Jan 28, 2006 3:43 am

I suppose you already saw man rpcports (this)?

Looks somewhat related, not sure if you can do anything with it...
while (!asleep()) sheep++;

User avatar
shel
Posts: 304
Joined: Fri Jan 13, 2006 11:25 am
Location: Uzes, France or Seattle, WA, USA

Unread postby shel » Sat Jan 28, 2006 10:52 am

stuart wrote:My Octane is installed at work, where we have a mixture of many different machines and OS'. As well as all of the IRIX/Solaris/Linux/HP-UX/AIX/etc. servers, we have all of the Sales peoples' Windows laptops - which tend to be spyware and virus infested to a scary degree.

We have a very flat network, so absolutely everything is on the same subnet.

Call me paranoid, but in this situation I'm working on the basis of blocking *everything*, and then only opening what is absolutely necessary.

Most other OS (certainly Linux and Solaris, and I belive the BSDs too) have the ability to tie mountd to a fixed port, which portmap will then always return. IRIX doesn't seem to have this (incredibly useful) feature, though :(


In that millieu I'd be paranoid, too.

Does tcpwrappers work on portmapped stuff?

-Shel


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest