NFS & Firewall

Bob H. Tikos tikos at cis.upenn.edu
Tue Sep 7 20:39:26 EEST 1999 

Filippos Slavik wrote:
> 
> : On 06-Sep-99 Filippos Slavik wrote:
> : > to mount sto remote fs) opou paizei kai to firewall afinw na
> perasoun
> : >
> : > *) udp & tcp sto port tou portmapper
> : > *) udp & tcp sto port tou mountd
> : > *) nfs pou paizei sto 2049 den akoumpaw mias kai pernaei apo to fw
> : >
> : > parol'auta den paizei... mhpws ksexasa tipote ? kamia idea ?
> :
> : Tipota alles portes panw apo to 1024. Giati den bazeis oles tis
> portes
> : anoiktes, alla me log ta paketa apo ton kernel, (h kai to anapodo :
> oles kleis
> : tes me log ta paketa), na deis poies anoigoun tin stigmh pou
> epixireis to mount
> : ?
> 
> Gia thn wra epaiza me tcpdump na dw ti pernaei alla xwris kai poly
> megalh epityxia, alla auto pou les einai to poio swsto. To thema einai
> oti den kserw pws na kanw to ipchains na mou kanei log ola ta paketa
> pou kobontai *GENIKA*. Bebaia kai to ipchains pernei thn para. -l wste
> na kanei log ta paketa pou dexetai 'h kobei kapoio rule, alla the me
> eksyphretouse auto pou lew -> kane log auto pou telika kapoio rule
> ekopse...
> 
> Filika
> Slavikos
> 
> :
> : I.Ioannou <roryt at hol.gr>
> : --
> 
Loipon paides exw na proteinw to ekseis:

Otan thelei kaneis na kanei setup firewall (ipchains H ipfwadm)
ena poly xrhsimo tool (kat'eme panta..) einai to :

(apokoma apo freshmeat.net)

Mason
    William Stearns - March 22nd 1999, 12:53 EST 

  Mason is a tool that interactively builds a firewall using Linux'
ipfwadm or ipchains
firewalling. You leave mason running on the firewall machine while you
are making all the 
kinds of connections that you want the firewall to support (and want it
to block). Mason 
gives you a list of firewall rules that exactly allow and block those
connections. It can 
either build a firewall from scratch for you or supplement an existing
firewall.

urls
                                                  
Download:
   http://users.dhp.com/~whisper/mason/mason-0.12.0.tar.gz 
Red Hat Packages:
   http://www.pobox.com/~wstearns/mason/mason-0.12.0-1.noarch.rpm 
Homepage:
   http://www.pobox.com/~wstearns/mason/ 

Se genikes grames m' exei bohthisei afantasta kai sto na katalabw ti
esti "firewall rules" kai sto na kanw setup ta dika mou ta firewalls
(trexw tria firewalls auth ti stigmh, se tria diforetika shmeia ths
 perioxhs). Auto pou synystw sthn parapanw periptwsh einai :

Fillipe, (kai opoios alos "of course") 
  katevase to "mason" . Compile i install (apo rpm).
- mpes sto /etc/masonrc kai koitakse prosektika ta variables. Gia twra
  bale "accept" sto NEWRULEPOLICY, "reject" sto DEFAULTPOLICY, kai 
  "reject" sto FLUSHPOLICY. Ola ta ypoloipa ta exw afisei etsi opws 
  htan.
- katw apo to /var/lib/mason/ koitakse ta "baserules" kai "newrules"
fakela
  na einai adeia. 
- meta trekse to "mason-gui-text" kai arxise "BL" (Begin Learning) mode.

 kata th diarkeia tou "BL" arxhse ta nfs requests apo ton client.
 tote tha deis "traffic" ston orizonta.... eh.. (mia parenthesh:
 panta protimw na douleuw me dyo-tria-tessera xterms kai panta
 sto ena trexw tail -f /var/log/messages). Otan katafereis na kaneis
 mount ton server ston client, kane ena "EL" sto parathiro tou "mason"
 (EL = End Learning)
- umount ton server.
- "Q" ston mason
- trekse ksana to /etc/rc.d/firewall.sh (or
/opou/to/exeis/topothethsei/firewall.sh) script
  gia na to epanafereis sthn arxikh tou thesh. (THIS IS A MUST!!!!!
giati panta tha menei
   anoixto meta apo ena "mason run"
- twra :
   to "newrules" exei mesa recorded ta rules gia ta "nfs attempts" pou
ekanes .
- cut and paste sto firewall.sh kai eise mesa. ( an exeis "reject all
all" rules prepei
   na ta kaneis "prepend" giati meta apo ena reject-any-any rule then
pianei tipota)
- ksana trekse to firewall.sh kai dokimase to nfs-mount.
  (prepei na douleyei "like a charm". EKTWS kai an mou diefyge tipota)
- katharise ta "baserules" kai "newrules" files (egw ta kanw copy prwta
me *.1,*.2 klp)
  gia na eise etoimos gia to epomeno "mason run"
- A kai kati allo. As mh ksexname: RTFM !!!! it helps.

Auta . ouf.
Euxomai na bohthisa

Mpamphs.
(pw..pw.. megalo e-mail... prwth fora mou 'tyxe)

PS :
     Kai gia tous seismopatheis: paidia kouragio. O Theos tha valei to
xeri Tou.


-- 
  Haralabos Bob Tikos -Systems Programmer/Admin.
Eniac2000 Project, CIS Department, University of Pennsylvania
http://reno.cis.upenn.edu  Tel.: +.215.573.8149                 
"Power should be distributed equally among those who are not in love
with it"  Plato
--
====================================================================
Gia boithia (h na diagrafhte) e-mail sto majordomo at hellug.gr
Ta archives tis listas einai sto http://lists.hellug.gr/archives
prin steilete kapoia erothsh psakte mipos exei hdh apanththei.
Gia opoiodipote problima stilte e-mail ston owner-linux-greek-users at hellug.gr
====================================================================

More information about the Linux-greek-users mailing list