[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nfs exports

To: Casey Boone <caseyboone@gmail.com>
Subject: Re: nfs exports
From: "Bryan J. Smith" <b.j.smith@ieee.org>
Date: Mon, 22 Nov 2004 12:21:14 -0500
Cc: silug-discuss@silug.org
In-Reply-To: <c563274104112208525ca19f07@mail.gmail.com>
Organization: Southern Illinois Linux Users Group
References: <c563274104112123032225f2ee@mail.gmail.com> <CDE4772B-3CA5-11D9-8B6F-000A95880F88@alum.calberkeley.org> <c563274104112208525ca19f07@mail.gmail.com>
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org

On Mon, 2004-11-22 at 11:52, Casey Boone wrote:
> internet<->linux firewall<->local lan<->linux fileserver
> the firewall and fileserver are the ones i am doing nfs exports on

Ouch!  Don't run RPC services on the firewall, even if they are only LAN
facing.  General practice is minimal services on the firewall, and RPC
is one big and bad one!  ;->

If someone gets control of an internal system (typically through a
Windows client initiated exploit), the first thing they will notice is
RPC running on the default gateway.  They'd hit it first and foremost!

> i plan on blocking all traffic from the internet side except inbound
> ssh (actually that is how it is now for both public and private eth
> interfaces, havent made eth1 trusted yet)

And what are you blocking outbound?  2049 should be a must (if you don't
have a "deny all outgoing" default in the first place).

-- 
Bryan J. Smith                                    b.j.smith@ieee.org 
-------------------------------------------------------------------- 
Subtotal Cost of Ownership (SCO) for Windows being less than Linux
Total Cost of Ownership (TCO) assumes experts for the former, costly
retraining for the latter, omitted "software assurance" costs in 
compatible desktop OS/apps for the former, no free/legacy reuse for
latter, and no basic security, patch or downtime comparison at all.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

Follow-Ups:
- Re: nfs exports
  - From: Robert Citek <rwcitek@alum.calberkeley.org>

References:
- nfs exports
  - From: Casey Boone <caseyboone@gmail.com>
- Re: nfs exports
  - From: Robert Citek <rwcitek@alum.calberkeley.org>
- Re: nfs exports
  - From: Casey Boone <caseyboone@gmail.com>

Prev by Date: Re: mental note: i hate yum (was Apt v. Yum)
Next by Date: Re: nfs exports
Prev by thread: Re: nfs exports
Next by thread: Re: nfs exports
Index(es):
- Date
- Thread