IPFW / NFSD

Mark Frasa mark at frasa.net
Wed Jan 25 04:58:57 PST 2006 

fbsd_user schreef:
> 
> Post complete content of your rules file for review by people here
> on list.
> 
> 
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mark Frasa
> Sent: Wednesday, January 25, 2006 4:04 AM
> To: freebsd-questions at freebsd.org
> Subject: IPFW / NFSD
> 
> 
> Hello,
> 
> I am currently running 1 HTTP server on FreeBSD 6.0
> 
> Offcourse, like anyone that likes security, i am running IPFW and
> set
> the kernel to block by default.
> 
> Behind that HTTP server i am running 2 Linux boxes.
> 
> The problem is that when i enable the firewall and openup ports from
> rpcinfo -p:
> 
>     program vers proto   port  service
>      100000    4   tcp    111  rpcbind
>      100000    3   tcp    111  rpcbind
>      100000    2   tcp    111  rpcbind
>      100000    4   udp    111  rpcbind
>      100000    3   udp    111  rpcbind
>      100000    2   udp    111  rpcbind
>      100000    4 local    111  rpcbind
>      100000    3 local    111  rpcbind
>      100000    2 local    111  rpcbind
>      100005    1   udp    668  mountd
>      100005    3   udp    668  mountd
>      100005    1   tcp    984  mountd
>      100005    3   tcp    984  mountd
>      100003    2   udp   2049  nfs
>      100003    3   udp   2049  nfs
>      100003    2   tcp   2049  nfs
>      100003    3   tcp   2049  nfs
> 
> I opened up all these ports but i cant do an ls or write to nfs or
> whatever.
> Then i thought maybe it's trying something local so i added:
> 
> $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state
> 
> Even this does not work.
> 
> Tcpdump shows me that when i have ipfw open, it only communicates
> with
> port 2049 and i don't see anything more.
> 
> Can anybody help me out here?
> 
> Additional info:
> 
> { alltid at arcas } uname -a
> FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan  4
> 15:45:38 UTC 2006     markfra at arcas:/usr/obj/usr/src/sys/ARCAS  i386
> 
> 
> Mark.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"


Here is the list:

# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="vr0"     # public interface name of NIC
               # facing the public Internet
secure="ip2.of.this.box"
arcas="ip.of.this.box"

$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state
$cmd 00100 allow ip from any to any out via $pif keep-state
$cmd 00200 allow tcp from any to $arcas 80 in via $pif
$cmd 00310 allow icmp from any to any in via $pif

# Allow in secure from selected ip's
$cmd 00410 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state
$cmd 00411 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state

# Allow in nfs requests on secured ip from own network only
$cmd 00425 allow ip from x.x.x.x/24 to $secure setup keep-state

# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any

Mark.

More information about the freebsd-questions mailing list