IPFILTER and NFS
Erik Nørgaard
norgaard at locolomo.org
Mon Apr 4 01:40:06 PDT 2005
Matt Juszczak wrote:
> ---snip---
> # Default pass out
> pass out quick on em0 all keep state
>
> # Fragmented/Short/Opts/Fprinting packets
> block in quick on em0 all with ipopts
> block in quick on em0 all with frag
> block in quick on em0 proto tcp all with short
> block in quick on em0 proto tcp all flags FUP
>
> # Block local nets
> block in quick on em0 from 255.255.255.255/32 to any
> block in quick on em0 from 192.168.0.0/16 to any
> block in quick on em0 from 172.16.0.0/12 to any
> block in quick on em0 from 127.0.0.0/8 to any
> block in quick on em0 from 10.0.0.0/8 to any
> block in quick on em0 from 0.0.0.0/32 to any
> ---snip---
You haven't told a word about your network setup or server's ip, and I
don't know your default rules. Your ruleset is mostly useless without
that info.
Have you compiled with default block? If not, then your client is open
to incoming connections from almost anywhere, and if you have, then your
block rules have no use.
NFS is udp - I think you can force tcp, but I think this requires
changes on the server also.
udp is state less, so state full filtering is somewhat a guess work. It
works this way for say dns: Your host sends out a udp packet with a dns
request, ip-filter knows dns and so expect udp packet back within
usually a minute.
Now, ip-filter may not now nfs that well, or the nfs protocol may just
be wierd. Since you know your nfs server, you could do:
pass in quick proto udp from <nfs server>/32 to <client>/32
For clarity, I suggest you write two blocks of rules, incoming and
outgoing, with both tcp and udp protocols for that server. It makes it
easier to see what is going on.
Make sure you start your ruleset with your default rules explicit,
block in log all
block out log all
and enable logging on _all_ block rules. Start ipmon to log to a
separate file.
Default rules should never match, if they do it is indication that there
is something you have not taken care of. OK, this is not strictly true,
but if they never match then it indicates you have written an explicit
rule for each posible packet - ie. you have thought about everything.
If you still have problems, submit your ipmon log file and your full
tested ruleset.
Cheers, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
More information about the freebsd-questions
mailing list