[pfSense] NFS through pfSense

Michael Schuh michael.schuh at gmail.com
Sat May 12 15:46:45 EDT 2012


2012/5/12 Ugo Bellavance <ugob at lubik.ca>

> On 2012-05-11 16:14, Michael Schuh wrote:
>
>>
>>
>> 2012/5/11 Ian Levesque <ian at crystal.harvard.edu
>> <mailto:ian at crystal.harvard.**edu <ian at crystal.harvard.edu>>>
>>
>>
>>
>>    On May 11, 2012, at 2:52 PM, Ugo Bellavance wrote:
>>
>>     > I'd need to have an NFS client access an NFS server.  Both are on
>>    a different network segment, so I need to have the traffic go
>>    through the pfSense firewall.  Does anyone has the list of ports
>>    that must be allowed for NFSv3?
>>
>>    If your client is on the LAN and the server the WAN, you should be
>>    fine with the built-in state management. If the NFSv3 server is
>>    behind a firewall, good luck... :) (basically, you'd need to
>>    configure your server to use static ports, which may not be possible
>>    with your NAS).
>>
>
> My client is in LAN and the server is on OPT1 (another internal network).
>  I could do that with my current CheckPoint FW-1, but I needed to allow all
> ports.
>
>
Ian pointed it already out....much fun...

if:
all the clients need the NFS access, they should be in that subnet or the
server should be in the subnet of the clients.
then:
find a solution to get the data shared between the clients and the secured
service ( what was the reason why that NFS-Server stands in an DMZ ? )
without to open the doors for the entire network.
Think about your conceptual design. :-)
endif:

if:
only specific Clients need access
then:
Allow the traffic from specific ( if not all clients need access)
lan-clients to the NFS-Server.

Secure up your server, make usage of the local files /etc/hosts.allow,
/etc/hosts.deny, cut of (deinstall them completely) all other services,
accept only DSA/RSA-Key authentication on SSHv2 and only v2.
a word in the documentation : WHY you made that this way. - would be a good
idea.

Try to keep other Services far from that box.
endif:

greetings

m.
-- 
= = =  http://michael-schuh.net/  = = =
Projektmanagement - IT-Consulting - Professional Services IT
Michael Schuh
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
mobil:  0175/5616453
@: m i c h a e l . s c h u h @ g m a i l . c o m

= = =  Ust-ID:  DE251072318  = = =
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pfsense.org/pipermail/list/attachments/20120512/91b6d029/attachment.html>


More information about the List mailing list