Could someone answer me what following lines are supposed to do:
inter ser 0
ip access-group 101
access-list 101 permit ip X.Y.Z.0 0.0.0.255 0.0.0.0 255.255.255.255
Allow any packet from X.Y.Z.* out.
access-list 101 deny ip 0.0.0.0 255.255.255.255 X.Y.Z.155 eq 2049
Drop any packet desntined to X.Y.Z.155. Note that the "eq 2049" is
extraneous, as that operator is only useful for TCP and UDP packets.
access-list 101 deny udp 0.0.0.0 255.255.255.255 X.Y.Z.0 0.0.0.255
Drop any UDP packet for X.Y.Z.*.
access-list 101 permit ip 0.0.0.0 255.255.255.255 X.Y.Z.0 0.0.0.255
Permit any other protocol packet for X.Y.Z.*
I was thinking that this will prevent enyone to mount any partition on
any machine into X.Y.Z net. But I was wrong. Why?
Well, at the very least, you have a typo here. But even if you
specify UDP, you only block NFS, and then only if your implementation
uses the "cannonical" NFS port. You are NOT blocking mounts, which is
something slightly different. Note that mountd can run on any port,
so it's very hard to block. And blocking portmap is not sufficient as
someone could realiztically walk all of your ports and send mount
requests to all of them...
Does anyone besides me wish that NFS & mountd (& most of the other RPC
services) were on well-know ports instead?
Tony
|
|
