IPFW & NFS

vittorio vdemart1 at tin.it
Thu Nov 23 10:55:46 PST 2006 

Well I tried something similar to your
ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
ipfw add 300 allow udp from 10.0.0.2 to 10.0.0.1 2049,111,1022 setup 
keep-state
(it differs from your line for the setup option).
It ddidn't worked at all.

Afterwards, following Cuck's advise, I had a go at modifying the ipfw firewall 
in the nfs client 10.0.0.2 (no firewall for the time being on the nfs server 
10.0.0.1) and added towards the end of the list, immediatedly before the very 
laste line denying everything else

50000 allow ip from 10.0.0.1 to 10.0.0.2
51000 allow ip from 10.0.0.2 to 10.0.0.1
65535 deny ip from any to any 

It seemed to works.... partially! I mean that I could mount_nfs the share in 
the client, surfing the directories, reading and writing files in the share, 
BUT ... out of the blue, after some minutes the client freezed and I had to 
reboot :-( brutally turning off and on the box.

Help please
Vittorio

Alle 05:25, giovedì 23 novembre 2006, Ian Smith ha scritto:
> vittorio <vdemiart1 at tin.it> wrote:
>  > I have two FreeBSD 6.1 boxes one of which (IP 10.0.0.1) is an NFS server
>  > and the other one (IP 10.0.0.2) is, among other things, an NFS client
>  > sharing directories with the NFS server.
>  > It all works correctly and I can mount_nfs all the directories from the
>  > server.
>  > BUT, I'm now trying to use an IPFW firewall both on the server and on
>  > the client. My simple aim is to setup connections between the 10.0.0.1
>  > server and the 10.0.0.2 client ** only **; no connections should be
>  > possible with other clients!
>  > Now I've tried the poor documentation I could find googling with the
>  > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share on
>  > te client because something goes wrong with RPC.
>  > Concentrating on the client side (no ipfw for the moment on teh server)
>  > I tried the following
>  >
>  > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to 10.0.0.2 via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 10.0.0.1 to 10.0.0.2  2049,111,1022 via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to me via fxp0 setup
>  > keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 10.0.0.1 to me  2049,111,1022 via fxp0 setup
>  > keep-state
>  >
>  > If I disable the firewall it all goes smootly.
>
> Firstly, what Chuck and Bill said .. but some further points ..
>
> Secondly, you don't specify port numbers with 'allow ip', which covers
> tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
> course you're using NFS over TCP as well, where you'd need 'allow tcp'.
> Note also that 'setup' only applies to TCP connections.
>
> Thirdly, if you do want to use stateful rules on the client, you'll do
> better doing them on your _outbound_ connections, something like:
>
>   ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
>
> If it were me I'd concentrate on the server side firewall rules (and
> /etc/exports allowed hosts) both for allowing desired and disallowing
> undesired connections, so not having to worry much about what client/s
> may or may not be doing.
>
> 'man ipfw' is actually pretty good documentation, though there is a fair
> bit to absorb there.  I still read it before bedtime now and again :)
>
> Ciao, Ian

More information about the freebsd-questions mailing list