pf blocking nfs

[Aaron Martinez]

On Wednesday 30 November 2005 11:02, Roland Smith wrote:
> On Tue, Nov 29, 2005 at 08:58:48PM -0600, Aaron P. Martinez wrote:
> > I am running FreeBSD 6.0-release and setting up a very basic firewall
> > using pf on my workstation.  The ruleset is as follows:
> >
> > block in log all
> > pass quick on lo0 all
> > #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> > pass  out on fxp0 proto { tcp, udp, icmp } all keep state
>
> <snip>
>
> > I can't tell why this isn't working.  I know that udp is stateless, but i
> > was inclined to believe that you could still use state tracking with pf.
> > I'd really like to have the firewall in place when this machine is
> > connected to the internet...
>
> Reading the pf manuals, it is supposed to work.
>
> Have you tried explicitly letting the required traffic through?
>
> pass out on fxp0 proto { tcp, udp } to $nfsserver port { sunrpc,
> nfsd-status, nfsd, lockd } keep state
>
> Where $nfsserver is the server's IP address.
>
> If that still doesn't work, try:
>
> pass out on fxp0 proto { tcp, udp } from  any to $nfsserver port { sunrpc,
> nfsd-status, nfsd, lockd } pass in on fxp0 proto { tcp, udp } from
> $nfsserver to any port { sunrpc, nfsd-status, nfsd, lockd }
>
>
> Roland

I thought for sure the last example here would solve the issue, but i'm still 
stumped.  My current ruleset is as follows:

block in log all
pass quick on lo0 all
#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass  out on fxp0 proto { tcp, udp, icmp } all keep state
pass  out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd, 
nfsd-status, lockd } keep state
pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd, 
nfsd-status, lockd } keep state

That didn't work so i tried:

block in log all
pass quick on lo0 all
#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass  out on fxp0 proto { tcp, udp, icmp } all keep state
pass  out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd, 
nfsd-status, lockd }
pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd, 
nfsd-status, lockd }

which was even worse, with this setup i couldn't even switch to the /home 
directory.

Still no go.  I'm not sure if i have to reboot after changing the pf.conf 
ruleset, i have just been stopping pf with pfctl -d, flushing the rules with 
pfctl -F rules, loading the modified rules from /etc/pf.con with, pfctl 
-f /etc/pf.conf and then re-enabling pf with, pfctl -e.  Hope someone can 
shed some light on this.  Part of my whole reason for switcing to the BSDs 
was my interest in pf, but this not keeping state is really letting me down.

I've said this before but i feel like it's worth mentioning again, even with 
the single line:
pass  out on fxp0 proto { tcp, udp, icmp } all keep state

i can switch to the /usr/home directory and even go into any directory that 
doesn't have a lot of files/folders in it.  I only seem to have problem with 
one home directory that is really loaded up.

Thanks again,

Aaron martinez