nfs and ipfw

[Robert Johannes]

I recently built a 4.8-stable system, with firewalling.  It is not a
gateway/router, just an nfs and samba server, but I built in the firewall
so I can prohibit potential traffic from the router/gateway in case
it was broken into.

I'm using normal ipfw, with the following rules:

allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
allow tcp from any to any established
allow ip from any to any frag
allow tcp from any to any setup
allow ip from $nfsclient to $fileserver keep-state
allow ip from xx.xx.xx.1 to $fileserver keep-state
deny ip from any to any


The router/gateway is at xx.xx.xx.254.  I'm able to mount the filesystems
from the $fileserver, but I'm not able to write a substantial amount of
data to the filesystems; I can create a file by 'touching' one on the nfs
filesyste, but I can't copy a big file onto the filesystem.  I have
successfully copied a file as big as the /etc/hosts files (a few bytes).
>From watching tcpdump, it seems that any time there's significant i/o on
the nfs filesystem, the fileserver stops responding, and I note the
following lines repeated perhaps a hundred or more times:

15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340 at 32560)
15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480 at 31080+)
15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480 at 29600+)
15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480 at 28120+)
15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480 at 26640+)
15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480 at 25160+)
15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480 at 23680+)
15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480 at 22200+)
15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480 at 20720+)

At this point I get an "nfs: server $nfsserver not responding, timed out"
message logged on the nfsclient.

I'm pretty sure it has to do with my ipfw configuration, but I can't
pinpoint the problem.  Any ideas?

robert