echan@cad017.intel.com (Eldon Chan ~ ) (11/21/90)
Would someone out there tell me what is the standard way to set up the access-lists if I just want to pass NFS, FTP, and mail traffic between to Cisco routers via a serial link. FTP and mail part is quite easy. Since NFS traffic doesn't use any fix UDP ports (except 111), how can I single out the NFS traffic ? The approach I am using is to allow all UDP traffic and disable the UDP ports that I don't like. Is it the right approach ? Any suggestions ae welcome Thanks. Eldon Chan
barmar@think.com (Barry Margolin) (11/21/90)
In article <1057@inews.intel.com> echan@cad017.cadev6.intel.com (Eldon Chan ~ ) writes: >Would someone out there tell me what is the standard way to set up the >access-lists >if I just want to pass NFS, FTP, and mail traffic between to Cisco >routers via a serial >link. > >FTP and mail part is quite easy. Since NFS traffic doesn't use any fix >UDP ports (except 111), how can I single out the NFS traffic ? >The approach I am using is to allow all UDP traffic and disable the UDP >ports that I don't like. Is it the right approach ? Many NFS implementations, Sun in particular, actually do use fixed port numbers rather than letting the port mapper choose the port numbers. They probably use the same ports as Sun's NFS uses (I've heard that until recently Sun's NFS client didn't actually use the port mapper to find remote NFS servers, but I haven't verified this). You can determine the ports that a host uses with /usr/etc/rpcinfo -p <hostname>. Sun uses UDP ports 2049 and 704 for NFS and MOUNT, respectively. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
wrl@wdl51.wdl.fac.com (Bill Lewandowski) (11/23/90)
We have a wide range of filters in. Filtering port 111 will stop someone from nfs mounting your file system across the Internet' or private net. We allow any our going UDP but allow any incomming UDP greater than 1022. This allows return UDP answers for name services. We only allow smtp and udp to port 53 (name requests in). We also block port 6000 (TCP and UDP) (X-Windows). Bill -- Bill Lewandowski LORAL Western Development Labs (408) 473-4362 Internet: wrl@wdl1.wdl.fac.com FAX: (408) 473-7926 UUCP: wdl1!wrl