
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# WARNING: ONLY USE THE NFS SERVICE WITH TRUSTED SERVERS. Accepting NFS
# traffic leaves your UDP ports (input and output) wide open to these 
# servers!
#
# To install, copy this file to /etc/firewall/modules/public/services/
# 320-nfs-servers and execute rc.firewall with the --update-config
# parameter. The proper options will be added to the configuration file.
#
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-02-07  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Added check for CLUSTER_NAME and assoc. rules.
# 2000-10-26  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Added the "#m# 123" module config. Fixed Option_Value
#             which refered to CLIENTS instead of SERVERS.
# 2000-10-25  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.1.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept
#i# cluster
#n# nfs
#t# servers
#
#   |--------------------------------------------------------------------|
#d# WARNING: ONLY USE THE NFS SERVICE WITH TRUSTED SERVERS. Accepting NFS
#d# traffic leaves your UDP ports wide open to these servers!
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------


#--------------------------------------------------------------------
# SUNRPC (111)
#--------------------------------------------------------------------

for host in `Option_Value accept $INTOPT nfs servers`
do
	echo "Accept $INTOPT $IPADDR -> $host SUNRPC $LOG_MSG"
	if [ "$CLUSTER_NAME" ]
	then
		ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $host   sunrpc     -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $INCHAIN  -j ACCEPT -p udp -s $IPADDR $PRIVPORTS -d $host   sunrpc     $LOG

		ipchains -A $OUTCHAIN -j ACCEPT -p tcp ! -y -s $host   sunrpc     -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $INCHAIN  -j ACCEPT -p tcp      -s $IPADDR $PRIVPORTS -d $host   sunrpc     $LOG
	else
		ipchains -A $INCHAIN  -j ACCEPT -p udp -s $host   sunrpc     -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $IPADDR $PRIVPORTS -d $host   sunrpc     $LOG

		ipchains -A $INCHAIN  -j ACCEPT -p tcp ! -y -s $host   sunrpc     -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p tcp      -s $IPADDR $PRIVPORTS -d $host   sunrpc     $LOG
	fi
done
unset host

#--------------------------------------------------------------------
# NFS (Port 2049)
#--------------------------------------------------------------------

for host in `Option_Value accept $INTOPT nfs servers`
do
	echo "Accept $INTOPT $IPADDR <- $host NFS $LOG_MSG"
	if [ "$CLUSTER_NAME" ]
	then
		ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $host   -d $IPADDR   $LOG
		ipchains -A $INCHAIN  -j ACCEPT -p udp -s $IPADDR -d $host $LOG

		ipchains -A $INCHAIN  -j ACCEPT -p tcp ! -y -s $host   715        -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p tcp      -s $IPADDR $PRIVPORTS -d $host   715        $LOG

		ipchains -A $INCHAIN  -j ACCEPT -p tcp ! -y -s $host   2049       -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p tcp      -s $IPADDR $PRIVPORTS -d $host   2049       $LOG
	else
		ipchains -A $INCHAIN  -j ACCEPT -p udp -s $host   -d $IPADDR   $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $IPADDR -d $host $LOG

		ipchains -A $OUTCHAIN -j ACCEPT -p tcp ! -y -s $host   715        -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $INCHAIN  -j ACCEPT -p tcp      -s $IPADDR $PRIVPORTS -d $host   715        $LOG

		ipchains -A $OUTCHAIN -j ACCEPT -p tcp ! -y -s $host   2049       -d $IPADDR $PRIVPORTS $LOG
		ipchains -A $INCHAIN  -j ACCEPT -p tcp      -s $IPADDR $PRIVPORTS -d $host   2049       $LOG
	fi
done
unset host

