[pf4freebsd] Re: nfsd send error 1 probably caused by pf ?
Florian C. Smeets
flo at kasimir.com
Wed Sep 15 20:56:14 PDT 2004
Pyun YongHyeon wrote:
> Does nfs client is FreeBSD-CURRENT machine?
clients and server are all -CURRENT from within the last 4 or 5 days
> Which NFS version do you use?(NFS V2 or NFS V3)
> Do you use some special mount options such as -r or -w?
Here is my fstab on the clients:
172.30.1.1:/space/ports /usr/ports nfs rw,nfsv3,tcp 0 0
172.30.1.1:/space/src /usr/src nfs rw,nfsv3,tcp 0 0
172.30.1.1:/space/obj /usr/obj nfs rw,nfsv3,tcp 0 0
> Do you have a scrub rule such as 'reassemble tcp'?
> Can you post entire pf ruleset?
it is attached
if i remove this line (the last but one) the problem disapears:
pass out quick on $Int keep state
Yesterday i recognized that it is useless in my config... because of no=20
block rules on $Int.
> (I want to reproduce the problem on my box.)
>=20
> BTW, there might be bugs in FreeBSD-CURRENT nfs code.
> If you read CURRENT list you already noticed some users reported
> nfs problems.
yeah i saw it.
thanks for the help so far,
flo
-- Attached file included as plaintext by Ecartis --
-- File: pf.conf
### VARIABLEN ###
Ext =3D "tun0" # Device an dem das Internet angeschlossen =
ist=20
Int =3D "xl0" # Device an dem das interne Netz haengt
IntNet =3D "172.30.1.0/24" # Adressraum des internen Netzes
RouterIP =3D "172.30.1.1" # IP Adresse des Routers
Loop =3D "lo0" # Loopback Device
# Adressen die auf dem externen Device nicht geroutet werden
# (Adressbereich des internen Netzes muss man wegen der Weiterleitung=
en zulassen)
NoRoute =3D "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.25=
5/32 }"
# Ports die geoeffnet werden sollen
InServicesTCP =3D "{ ssh, smtp, www, 4661, 4662, 6881, 6882, 6883, 68=
84, 6885, 6886, 6887, 6888, 6889 }"
InServicesUDP =3D "{ 4665, 4672 }"
### OPTIONS ###
# Macht Statistiken fuer die DSL-Verbindung (pfctl -s info)
set loginterface $Ext
# Beendet inaktive Verbindungen schneller - geringerer Speicherverbra=
uch.
set optimization aggressive
# Fragmentierte Pakete saeubern
scrub on $Ext all fragment reassemble random-id
### queueing
#altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
#queue q_pri priority 7
#queue q_def priority 1 priq(default)
#
### NAT & FORWARD ###
# NAT aktivieren (unter Linux als Masquerading bekannt)
nat on $Ext from $IntNet to any -> $Ext #static-port
# Active FTP - Umleitung zu unserem ftp-proxy
#rdr on $Int proto tcp from !$RouterIP to !$IntNet port 21 -> 127.0.0=
.1 port 8081
# Transparent squid
rdr on $Int inet proto tcp from any to any port www -> 127.0.0.1 port 808=
0
rdr on $Ext inet proto tcp from any to any port 4661 -> 172.30.1.2 port 4=
661
rdr on $Ext inet proto tcp from any to any port 4662 -> 172.30.1.2 port 4=
662
rdr on $Ext inet proto udp from any to any port 4665 -> 172.30.1.2 port 4=
665
rdr on $Ext inet proto udp from any to any port 4672 -> 172.30.1.2 port 4=
672
rdr on $Ext inet proto tcp from any to any port 6884 -> 172.30.1.8 port 6=
884
rdr on $Ext inet proto tcp from any to any port 6885 -> 172.30.1.8 port 6=
885
rdr on $Ext inet proto tcp from any to any port 6886 -> 172.30.1.8 port 6=
886
rdr on $Ext inet proto tcp from any to any port 6887 -> 172.30.1.8 port 6=
887
rdr on $Ext inet proto tcp from any to any port 6888 -> 172.30.1.8 port 6=
888
rdr on $Ext inet proto tcp from any to any port 6889 -> 172.30.1.8 port 6=
889
rdr-anchor redirect
### FILTER ###
# Zum Debuggen....
#pass quick all # Alles durchlassen
# Generelle Block Regel
block on $Ext
# Freiwillig machen wir keinen mucks ;)
block return log on $Ext
# Wir wollen kein IPv6.0
block quick inet6
# Loopback Device darf alles
pass quick on $Loop
#pass out on $Ext proto tcp from $Ext to any flags S/SA keep state queue =
(q_def, q_pri)
#pass in on $Ext proto tcp from any to $Ext flags S/SA keep state queue =
(q_def, q_pri)
# Erschwert scannen mit nmap und co.
block in log quick on $Ext inet proto tcp from any to any flags FUP/F=
UP
block in log quick on $Ext inet proto tcp from any to any flags SF/SF=
RA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
# Active FTP erlauben
#pass in quick on $Ext inet proto tcp from any to any port > 49151 us=
er proxy flags S/SAFR keep state
# Ping akzeptieren (ablehnen ist uebrigends wenig sinnvoll)
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep sta=
te
# Ports nach aussen oeffnen
pass in quick on $Ext inet proto tcp from any to any port $InServices=
TCP flags S/SAFR keep state label ServicesTCP
pass in quick on $Ext inet proto udp from any to any port $InServices=
UDP
anchor passin
# IP Spoofing verhindern
block in log quick on $Ext inet from $NoRoute to any
block in log quick on $Ext inet from any to $NoRoute
=20
# Raus darf (fast) alles
pass out quick on $Int keep state
pass out quick on $Ext keep state
More information about the freebsd-pf
mailing list