~mdw / firewall / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 94ce6e7)
*.m4: Actually allow NFS to untrusted hosts.
authorMark Wooding <mdw@distorted.org.uk>
Mon, 30 May 2022 21:23:13 +0000 (22:23 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Mon, 30 May 2022 21:48:45 +0000 (22:48 +0100)
Some NFS servers are configured to allow mounts from untrusted hosts,
but the firewall won't let them.  Fix this.

jem.m4 patch | blob | blame | history
numbers.m4 patch | blob | blame | history
roadstar.m4 patch | blob | blame | history
telecaster.m4 patch | blob | blame | history

diff --git a/jem.m4 b/jem.m4
index 5f79248..ecbed74 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -40,6 +40,11 @@ allowservices inbound tcp \
        http https rsync \
        git
 
+allowservices inbound-untrusted tcp \
+       sunrpc mount nfs
+allowservices inbound-untrusted udp \
+       sunrpc mount nfs
+
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
   run ip46tables -A inbound -j ACCEPT \
diff --git a/numbers.m4 b/numbers.m4
index 456ff84..32df339 100644 (file)
--- a/numbers.m4
+++ b/numbers.m4
@@ -36,6 +36,7 @@ defport bootpc 68
 defport tftp 69
 defport finger 79
 defport http 80
+defport sunrpc 111
 defport ident 113
 defport netbios_ns 137
 defport netbios_dgm 138
@@ -51,6 +52,7 @@ defport rsync 873
 defport ftps 990
 defport imaps 993
 defport h323 1720
+defport nfs 2049
 defport ssquid 3127
 defport squid 3128
 defport icp 3130
@@ -70,6 +72,7 @@ defport pgp_keys 11371
 defport i2p 16911
 defport disorder2 23598
 defport disorder 23599
+defport mount 32767
 defport udpkey 59274
 
 ## Protocol numbers.
diff --git a/roadstar.m4 b/roadstar.m4
index 5485d00..61b0aa9 100644 (file)
--- a/roadstar.m4
+++ b/roadstar.m4
@@ -33,6 +33,11 @@ allowservices inbound tcp \
        rsync \
        http https squid
 
+allowservices inbound-untrusted tcp \
+       sunrpc mount nfs
+allowservices inbound-untrusted udp \
+       sunrpc mount nfs
+
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
   run ip46tables -A inbound-untrusted -j ACCEPT \
diff --git a/telecaster.m4 b/telecaster.m4
index b9f1069..103d11b 100644 (file)
--- a/telecaster.m4
+++ b/telecaster.m4
@@ -34,6 +34,11 @@ allowservices inbound tcp \
        rsync \
        http https squid ssquid
 
+allowservices inbound-untrusted tcp \
+       sunrpc mount nfs
+allowservices inbound-untrusted udp \
+       sunrpc mount nfs
+
 run iptables -A inbound -j ACCEPT \
        -p udp --destination-port $port_icp \
        -m limit --limit 10/second --limit-burst 100
Firewall scripts for distorted.org.uk.