Firewalling NFS

Dave dmehler26 at woh.rr.com
Sat Jun 16 00:27:30 UTC 2007 

Hello,
    If anyone is interested i've got nfs going with a pf firewall on 6.2. I 
use a block by default policy and the client is a linux client, running it's 
iptables firewall, but it does work. I'm not sure about ipfw it's rule 
syntax but pf and i think ipf this should do it. The trick is udp and tcp 
111, tcp 2049, and tcp 986 udp 669 those last two are so that mountd can be 
contacted. On the nfs server i have this in rc.conf:

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.1.44" # i use jails on this box
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4 -h 192.168.1.44" # jails on this system
mountd_flags="-r"

and in my pf.conf file i have:
pass in quick on $ext_if inet proto { tcp, udp } from <client-ip> to $ext_if 
port 111 flags S/SA keep state
pass in quick on $ext_if inet proto tcp from <client-ip> to $ext_if port 
2049 flags S/SA keep state
pass in quick on $ext_if inet proto tcp from <client-ip> to $ext_if port 986 
flags S/SA keep state
pass in quick on $ext_if inet proto udp from <client-ip> to $ext_if port 669 
keep state

The only thing i'm not sure of is whether any of the ports will change if 
the box is rebooted, i've restarted the services several times and they hold 
the same ports.
Hth
Dave.

----- Original Message ----- 
From: "Bruce M. Simpson" <bms at incunabulum.net>
To: "Eygene Ryabinkin" <rea-fbsd at codelabs.ru>
Cc: <freebsd-net at FreeBSD.org>; "Jeremie Le Hen" <jeremie at le-hen.org>
Sent: Friday, June 15, 2007 1:47 PM
Subject: Re: Firewalling NFS


> Eygene Ryabinkin wrote:
>> NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd
>> and statd have '-p' options:
>> -----
>> $ man rpc.lockd rpc.statd | grep -- -p
>>      rpc.lockd [-d debug_level] [-g grace period] [-p port]
>>      -p      The -p option allow to force the daemon to bind to the 
>> specified
>>      rpc.statd [-d] [-p port]
>>      -p      The -p option allow to force the daemon to bind to the 
>> specified
>> -----
>> Are we talking about same entities?
>>
>
> I added the -p switch to mountd(8) a few years ago, as I needed to run a 
> read-only NFS server exposed to the outside world; to firewall it I needed 
> a deterministic RPC port number, which is what -p gives you. Otherwise you 
> have to rely on the TCP wrapper support built into rpcbind(8). The 
> rpc.lockd and rpc.statd daemons were recently changed to incorporate this 
> switch too, although I don't think it has been backported to the 6-STABLE 
> branch yet.
>
> Regards,
> BMS
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list