uncarvedblock78
Posts: 17
Joined: Mon Oct 30, 2017 3:30 pm

nfsroot - firewall configuration on the client

Thu Dec 19, 2019 4:39 pm

I've been making a foray into network booting a pi4 and after finally resolving some permission issues on the server side, I am now having some issues firewalling on the client side.

My go-to for configuring the firewall has always been ufw (learning iptables has been on my to-do list for a while but hasn't been a priority). After installing ufw and adding a few rules, enabling the firewall appears to disrupt nfs causing the pi to hang. Apparently ufw flushes and reloads the tables before enabling? Is there any way to prevent this?

I haven't been having much luck searching the innernets for a solution, Any advice/assistance would be appreciated. Thanks!

User avatar
dickon
Posts: 1657
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: nfsroot - firewall configuration on the client

Thu Dec 19, 2019 5:05 pm

Listing your rules would certainly be a help.

uncarvedblock78
Posts: 17
Joined: Mon Oct 30, 2017 3:30 pm

Re: nfsroot - firewall configuration on the client

Thu Dec 19, 2019 5:43 pm

default deny all
allow from [local subnet, which includes the nfs server]

I start pretty basic, maybe I should set default deny incoming instead of all? didn't think to try that...

User avatar
dickon
Posts: 1657
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: nfsroot - firewall configuration on the client

Thu Dec 19, 2019 6:10 pm

It may well be executing those in order, which means your deny will affect traffic before the allow is run. Unfortunately, it probably can't run the allow, because the shiny new deny rule has firewalled off your client from its NFS server...

Try putting the allow first, then the deny. It'll probably work, then. If not, check that you're allowing both UDP and TCP on port 2049.

uncarvedblock78
Posts: 17
Joined: Mon Oct 30, 2017 3:30 pm

Re: nfsroot - firewall configuration on the client

Thu Dec 19, 2019 6:42 pm

Yeah, no dice. the default policy is always run first with ufw.

I could set a default allow, then explicit allow nfs, then explicit deny all, but wouldn't the explicit deny all then override the explicit allow (assuming rules are processed in order)?

ufw is supposedly a simplified interface for iptables, so the same inheritance rules should apply for both, but as I'm not all that familiar with iptables I'm not entirely sure what's happening behind the scenes.

User avatar
dickon
Posts: 1657
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: nfsroot - firewall configuration on the client

Thu Dec 19, 2019 6:53 pm

I assume not. If you have a default allow, then a specific allow rule, then a deny all, the allow rule should allow the traffic through, and anything which doesn't match that rule will drop to the next one, which will be your deny. That's how it works with iptables, anyway.

Code: Select all

iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -P INPUT REJECT
is probably how I'd do it (with the correct address range, obviously). I'm not a ufw user.

uncarvedblock78
Posts: 17
Joined: Mon Oct 30, 2017 3:30 pm

Re: nfsroot - firewall configuration on the client

Thu Dec 19, 2019 7:04 pm

Alright, sounds reasonable, I can give it a shot.

I really should learn more about iptables, the existence of ufw has just made me lazy on that front lol.

User avatar
dickon
Posts: 1657
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: nfsroot - firewall configuration on the client

Thu Dec 19, 2019 7:29 pm

iptables isn't difficult for the vast, vast bulk of use-cases. Just remember that rules are processed in order, and, ideally ensure that you have a blanket accept-all at the top for the IP address you're logged into the target from, just in case...

I'd be tempted to setup your ufw ruleset, then dump the tables with

Code: Select all

iptables -L -n
to see what it's done. Best of both worlds.

Have a look at iptables-save / iptables-restore, too. Very useful: you can setup your firewall rules as you want, test them, then save them out and restore them on boot.

uncarvedblock78
Posts: 17
Joined: Mon Oct 30, 2017 3:30 pm

Re: nfsroot - firewall configuration on the client

Fri Dec 20, 2019 2:22 am

the following appears to work (just have to remember to insert any other rules before the final deny):

Code: Select all

# ufw default allow
# ufw allow from nfs-host-ip to any app nfs
# ufw deny from 0.0.0.0/0
# ufw enable
# ufw status
Status: active

To                         Action       From
--                           ------             ----
NFS                       ALLOW      nfs-server-ip             
Anywhere           DENY         Anywhere
Running an nmap scan on the host after enabling ufw shows only the ports I've specifically opened.

Thanks again dickon! I just might get ths pi up and doing Something Useful yet, lol.

incognitum
Posts: 504
Joined: Tue Oct 30, 2018 3:34 pm

Re: nfsroot - firewall configuration on the client

Fri Dec 20, 2019 12:28 pm

Eh, you have a writable NFS share to which basically any computer/device in your network can make changes to.

But you do are concerned about setting up a firewall on the client?

uncarvedblock78
Posts: 17
Joined: Mon Oct 30, 2017 3:30 pm

Re: nfsroot - firewall configuration on the client

Fri Dec 20, 2019 2:25 pm

incognitum wrote: Eh, you have a writable NFS share to which basically any computer/device in your network can make changes to
No, not really. the export is only available to the ip address of the pi. Barring ip-spoofing, or a security breach on the file server, no other devices should be writing to the nfs export. I am under the impression that reducing the attack surface was always a Good Thing.

epoch1970
Posts: 5444
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: nfsroot - firewall configuration on the client

Fri Dec 20, 2019 2:51 pm

If your LAN is a war zone, redefine its perimeter. The appropriate location for a firewall is in a router, not so much in an end host: too much attack surface, as you say.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

User avatar
dickon
Posts: 1657
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: nfsroot - firewall configuration on the client

Fri Dec 20, 2019 2:58 pm

There's also the defence-in-depth argument. I don't think it's a daft thing to do, although I don't bother with it myself.

uncarvedblock78
Posts: 17
Joined: Mon Oct 30, 2017 3:30 pm

Re: nfsroot - firewall configuration on the client

Fri Dec 20, 2019 3:24 pm

epoch1970 wrote: If your LAN is a war zone, redefine its perimeter. The appropriate location for a firewall is in a router, not so much in an end host: too much attack surface, as you say.
You're probably right however, why make the router a single point of failure? Also, I occasionally connect consumer devices with closed source software to my network that I don't want randomly poking around my other devices, especially those with a direct line to my NAS lol.

incognitum
Posts: 504
Joined: Tue Oct 30, 2018 3:34 pm

Re: nfsroot - firewall configuration on the client

Fri Dec 20, 2019 4:36 pm

uncarvedblock78 wrote:
Fri Dec 20, 2019 2:25 pm
incognitum wrote: Eh, you have a writable NFS share to which basically any computer/device in your network can make changes to
No, not really. the export is only available to the ip address of the pi. Barring ip-spoofing, or a security breach on the file server, no other devices should be writing to the nfs export. I am under the impression that reducing the attack surface was always a Good Thing.
Well, my personal opinion would be: close biggest gap first.
If you cannot trust your LAN, do not use a writable NFS share. IP spoofing is very trivial in your average network with only L2 switching.
Look for alternatives for that first (e.g. iSCSI does have authentication, although that would require storing password on a SD card), before finishing touches like firewall rules.

Return to “Advanced users”