ipf and dealing with inbound RPC services
Garrett Cooper
youshi10 at u.washington.edu
Thu Dec 14 23:23:11 PST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello once again,
Just setup ipf on my freebsd server, and I'm having some issues
with RPC services and my firewall rules.
I run nfsd and smbd, exporting my directories to a number of
clients, and everything works without the firewall running, but stuff
doesn't work with it running in smbd. Here are my effective rules for
the server so far:
[root at hoover /home/gcooper]# ipfstat -i
pass in quick on lo0 all
block in quick from any to any with frag
block in quick from 172.16.0.0/12 to any
block in quick from 10.0.0.0/8 to any
block in quick from 127.0.0.0/8 to any
block in quick from 0.0.0.0/8 to any
block in quick from 169.254.0.0/16 to any
block in quick from 192.0.2.0/24 to any
block in quick from 204.152.64.0/23 to any
block in quick from 224.0.0.0/3 to any
pass in quick proto tcp from any to 192.168.0.100/32 port = ssh flags
S/FSRPAU keep state
pass in quick proto tcp/udp from any to any port = sunrpc keep state
pass in quick proto tcp/udp from any to any port 830 >< 884 keep state
pass in quick proto tcp/udp from any to any port 137 >< 139 keep state
pass in quick proto tcp/udp from any to any port = microsoft-ds keep state
pass in quick proto tcp/udp from any to any port = nfsd keep state
pass in quick proto tcp/udp from any to any port = 3632 keep state
pass in quick proto icmp from any to 192.168.0.100/32 keep state
[root at hoover /home/gcooper]# ipfstat -o
pass out quick on lo0 all
pass out quick all keep state
nfsd works, but only after experimenting with the open ports a bit.
Figured out that rpcbind semi-randomly selects ports for mountd and I
have to write a script to auto-add rules for the ports it creates for
mountd.
As for smbd, I can't seem to get incoming packets past the ipf firewall.
Would anyone have any ideas for why things aren't working for smbd and
have solutions for how you got your ipf firewall to work with smbd? All
the solutions I can find after some searching have to deal with Solaris
or ancient versions of Freebsd (2.1... eep).
TIA,
- -Garrett
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFgk1bEnKyINQw/HARAr3yAJ9L4lZcsj16a3m+ls+1S6MxfrVAvgCdFyWh
ClC5K3YxBiXtzkMsouyKih8=
=uDi2
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list