DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th November 2012
Skinny Skinny is offline
Port Guard
 
Join Date: Jul 2012
Posts: 25
Default NFS through PF

I'm trying to mount NFS through PF.
PF is passing traffic on 111 and 2049 both tcp and udp.

According to `rpcinfo -p` the mountd port is dynamic. How can I tie mountd to use one specific port?
Reply With Quote
  #2   (View Single Post)  
Old 14th November 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You cannot tie mountd(8) to specific ports or port ranges on this OS. There are workarounds and alternatives available; see the thread in the misc@ archives that begins with the first post in the link below. Along with solution discussion, a number of posts reiterate the broader message regarding the lack of security for NFS over insecure networks, such as the Internet. As with the original poster you desire to move your data in plaintext beyond a firewall, which assumes over an insecure network, and this is considered a bad decision.

http://marc.info/?l=openbsd-misc&m=115092459119047&w=2

Last edited by jggimi; 14th November 2012 at 04:39 PM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 14th November 2012
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

I beg to differ, jggimi. You can sysctl net.inet.tcp.baddynamic to all ports except the one you want mountd to use =P

Just kidding, really, there's not really a good solution to this other than redesigning so you aren't using nfs across a firewall.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #4   (View Single Post)  
Old 14th November 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

That redesign could include the use of a VPN. The OpenBSD FAQ section on NFS, FAQ 6.7, recommends as ipsec(4) solution for NFS over an insecure network.

I suppose an admin might prefer net/openvpn, or ssh(1) tunneling to IPSec, but those solutions should be very carefully tested. I believe their higher communications overheads may have significant functional impact: I/O delays or I/O timeouts leading to functional problems with an application; perhaps even application failures.

Last edited by jggimi; 14th November 2012 at 08:07 PM. Reason: clarity
Reply With Quote
  #5   (View Single Post)  
Old 15th November 2012
Skinny Skinny is offline
Port Guard
 
Join Date: Jul 2012
Posts: 25
Default

@jggimi,
thx for for the misc@ link. I spent quite a bit of time searching but didn't come across this one.

@rocket357,
thx for the "unconventional" solution
Does that have potential side effects for other services running on the same machine?


Quote:
Originally Posted by jggimi View Post
As with the original poster you desire to move your data in plaintext beyond a firewall, which assumes over an insecure network, and this is considered a bad decision.
I want the servers to be in a separate VLAN and allow NFS only from trusted networks.
That should rather be called 'through a firewall' not 'beyond a firewall'
Reply With Quote
  #6   (View Single Post)  
Old 15th November 2012
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by Skinny View Post
@rocket357,
thx for the "unconventional" solution
Does that have potential side effects for other services running on the same machine?
Absolutely. That basically says "don't allow any dynamic port allocation to take place on these ports." If you list all but one, only one dynamic port will be available at any given point in time, which may very well restrict what you can and cannot do on the machine =)

Edit - The whole point of the "baddynamic" sysctls is to prevent a dynamically allocated port being set before a service that needs that particular port is started. If you're running ssh on 65022 (for whatever reason), you don't want an outbound connection to accidentally claim 65022 (which is within the legal range) as a temporary dynamic port, as that would cause ssh to not start. In short, I was being a smart alec. heh
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick