[Shorewall-newbies] Make "no-response"

Francesca C Smith fsmith at ladylinux.com
Fri Dec 5 18:51:40 PST 2003


I have to agree about the NFS mounts on the FW being a bad idea  .. NFS is 
in of itself a insecure protocol ..

But if you must .. open the ports to the loc zone only .. But If I need to 
"Moose" files from a "loc" machine to a FW or the reverse

SFTP and SCP is a better more secure choice ..


At 06:40 PM 12/5/2003, Ron Shannon wrote:
>You wrote:
> > I found here that specific ports would have to be opened in
> > order to have NFS
> > (on my internal network) fuinction properly. But then I do
> > not want the ports to
> > be opened to the internet.
>Assuming your firewall zone is "fw" and your internal network zone is 
>"loc" and port1, port2, etc., are the ports you need, then you only need 
>two lines in your rules file:
>ACCEPT   fw   loc   tcp  port1,port2,port3...
>ACCEPT   loc  fw    tcp  port1,port2,port3...
>Those lines will allow the traffic to flow freely between internal 
>workstations and the firewall, so the firewall can act as your NFS file server.
>I must say, however, that in general, this ia a bad idea. A firewall is 
>meant to be a wall -- only. The more additional services you put on the 
>firewall, the less secure (and more complex) it will be.
>Shorewall-newbies mailing list
>Post: Shorewall-newbies at lists.shorewall.net
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm

"No Problems Only Solutions"
Francesca C. Smith
Lady Linux Internet Services
fsmith at ladylinux.com

More information about the Shorewall-newbies mailing list