[pf4freebsd] Re: nfsd send error 1 probably caused by pf ?

Florian C. Smeets flo at kasimir.com
Wed Sep 15 20:56:14 PDT 2004 

Pyun YongHyeon wrote:
> Does nfs client is FreeBSD-CURRENT machine?
clients and server are all -CURRENT from within the last 4 or 5 days

> Which NFS version do you use?(NFS V2 or NFS V3)
> Do you use some special mount options such as -r or -w?

Here is my fstab on the clients:

172.30.1.1:/space/ports /usr/ports  nfs rw,nfsv3,tcp  0       0
172.30.1.1:/space/src   /usr/src    nfs rw,nfsv3,tcp  0       0
172.30.1.1:/space/obj   /usr/obj    nfs rw,nfsv3,tcp  0       0

> Do you have a scrub rule such as 'reassemble tcp'?
> Can you post entire pf ruleset?

it is attached

if i remove this line (the last but one) the problem disapears:

pass out quick on $Int keep state

Yesterday i recognized that it is useless in my config... because of no=20
block rules on $Int.

> (I want to reproduce the problem on my box.)
>=20
> BTW, there might be bugs in FreeBSD-CURRENT nfs code.
> If you read CURRENT list you already noticed some users reported
> nfs problems.

yeah i saw it.

thanks for the help so far,
flo



-- Attached file included as plaintext by Ecartis --
-- File: pf.conf

### VARIABLEN ###

    Ext =3D "tun0"            # Device an dem das Internet angeschlossen =
ist=20
    Int =3D "xl0"      # Device an dem das interne Netz haengt
    IntNet =3D "172.30.1.0/24"      # Adressraum des internen Netzes
    RouterIP =3D "172.30.1.1"       # IP Adresse des Routers
    Loop =3D "lo0"                   # Loopback Device

    # Adressen die auf dem externen Device nicht geroutet werden
    # (Adressbereich des internen Netzes muss man wegen der Weiterleitung=
en zulassen)
    NoRoute =3D "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.25=
5/32 }"

    # Ports die geoeffnet werden sollen
    InServicesTCP =3D "{ ssh, smtp, www, 4661, 4662, 6881, 6882, 6883, 68=
84, 6885, 6886, 6887, 6888, 6889  }"
    InServicesUDP =3D "{ 4665, 4672 }"


    ### OPTIONS ###

    # Macht Statistiken fuer die DSL-Verbindung (pfctl -s info)
    set loginterface $Ext

    # Beendet inaktive Verbindungen schneller - geringerer Speicherverbra=
uch.
    set optimization aggressive

    # Fragmentierte Pakete saeubern
    scrub on $Ext all fragment reassemble random-id


### queueing

#altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
#queue q_pri priority 7
#queue q_def priority 1 priq(default)
#

    ### NAT & FORWARD ###

    # NAT aktivieren (unter Linux als Masquerading bekannt)
    nat on $Ext from $IntNet to any -> $Ext #static-port

    # Active FTP - Umleitung zu unserem ftp-proxy
    #rdr on $Int proto tcp from !$RouterIP to !$IntNet port 21 -> 127.0.0=
.1 port 8081

# Transparent squid
rdr on $Int inet proto tcp from any to any port www -> 127.0.0.1 port 808=
0

rdr on $Ext inet proto tcp from any to any port 4661 -> 172.30.1.2 port 4=
661
rdr on $Ext inet proto tcp from any to any port 4662 -> 172.30.1.2 port 4=
662
rdr on $Ext inet proto udp from any to any port 4665 -> 172.30.1.2 port 4=
665
rdr on $Ext inet proto udp from any to any port 4672 -> 172.30.1.2 port 4=
672
rdr on $Ext inet proto tcp from any to any port 6884 -> 172.30.1.8 port 6=
884
rdr on $Ext inet proto tcp from any to any port 6885 -> 172.30.1.8 port 6=
885
rdr on $Ext inet proto tcp from any to any port 6886 -> 172.30.1.8 port 6=
886
rdr on $Ext inet proto tcp from any to any port 6887 -> 172.30.1.8 port 6=
887
rdr on $Ext inet proto tcp from any to any port 6888 -> 172.30.1.8 port 6=
888
rdr on $Ext inet proto tcp from any to any port 6889 -> 172.30.1.8 port 6=
889

    rdr-anchor redirect


    ### FILTER ###

    # Zum Debuggen....
   #pass quick all             # Alles durchlassen

    # Generelle Block Regel
    block on $Ext

    # Freiwillig machen wir keinen mucks ;)
    block return log on $Ext

    # Wir wollen kein IPv6.0
    block quick inet6

    # Loopback Device darf alles
    pass quick on $Loop

#pass out on $Ext proto tcp from $Ext to any flags S/SA keep state queue =
(q_def, q_pri)
#pass in  on $Ext proto tcp from any to $Ext flags S/SA keep state queue =
(q_def, q_pri)

    # Erschwert scannen mit nmap und co.
    block in log quick on $Ext inet proto tcp from any to any flags FUP/F=
UP
    block in log quick on $Ext inet proto tcp from any to any flags SF/SF=
RA
    block in log quick on $Ext inet proto tcp from any to any flags /SFRA


    # Active FTP erlauben
    #pass in quick on $Ext inet proto tcp from any to any port > 49151 us=
er proxy flags S/SAFR keep state

    # Ping akzeptieren (ablehnen ist uebrigends wenig sinnvoll)
    pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep sta=
te

    # Ports nach aussen oeffnen
    pass in quick on $Ext inet proto tcp from any to any port $InServices=
TCP flags S/SAFR keep state label ServicesTCP
    pass in quick on $Ext inet proto udp from any to any port $InServices=
UDP

    anchor passin

    # IP Spoofing verhindern
    block in log quick on $Ext inet from $NoRoute to any
    block in log quick on $Ext inet from any to $NoRoute
=20

    # Raus darf (fast) alles
    pass out quick on $Int keep state
    pass out quick on $Ext keep state

More information about the freebsd-pf mailing list