[pfSense] NFS through pfSense

Michael Schuh michael.schuh at gmail.com
Sat May 12 15:46:45 EDT 2012

2012/5/12 Ugo Bellavance <ugob at lubik.ca>

> On 2012-05-11 16:14, Michael Schuh wrote:
>> 2012/5/11 Ian Levesque <ian at crystal.harvard.edu
>> <mailto:ian at crystal.harvard.**edu <ian at crystal.harvard.edu>>>
>>    On May 11, 2012, at 2:52 PM, Ugo Bellavance wrote:
>>     > I'd need to have an NFS client access an NFS server.  Both are on
>>    a different network segment, so I need to have the traffic go
>>    through the pfSense firewall.  Does anyone has the list of ports
>>    that must be allowed for NFSv3?
>>    If your client is on the LAN and the server the WAN, you should be
>>    fine with the built-in state management. If the NFSv3 server is
>>    behind a firewall, good luck... :) (basically, you'd need to
>>    configure your server to use static ports, which may not be possible
>>    with your NAS).
> My client is in LAN and the server is on OPT1 (another internal network).
>  I could do that with my current CheckPoint FW-1, but I needed to allow all
> ports.
Ian pointed it already out....much fun...

all the clients need the NFS access, they should be in that subnet or the
server should be in the subnet of the clients.
find a solution to get the data shared between the clients and the secured
service ( what was the reason why that NFS-Server stands in an DMZ ? )
without to open the doors for the entire network.
Think about your conceptual design. :-)

only specific Clients need access
Allow the traffic from specific ( if not all clients need access)
lan-clients to the NFS-Server.

Secure up your server, make usage of the local files /etc/hosts.allow,
/etc/hosts.deny, cut of (deinstall them completely) all other services,
accept only DSA/RSA-Key authentication on SSHv2 and only v2.
a word in the documentation : WHY you made that this way. - would be a good

Try to keep other Services far from that box.


= = =  http://michael-schuh.net/  = = =
Projektmanagement - IT-Consulting - Professional Services IT
Michael Schuh
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
mobil:  0175/5616453
@: m i c h a e l . s c h u h @ g m a i l . c o m

= = =  Ust-ID:  DE251072318  = = =
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pfsense.org/pipermail/list/attachments/20120512/91b6d029/attachment.html>

More information about the List mailing list