NFS fstab and ipfw

Giorgos Keramidas keramida at ceid.upatras.gr
Fri Dec 24 11:31:49 PST 2004 

Please don't post the reply on top of what you're replying and trim your
replies a bit, keeping only what's relevant :-/

On 2004-12-24 14:11, Grant Peel <gpeel at thenetnow.com> wrote:
>Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:
>>On 2004-12-24 13:25, Grant Peel <gpeel at thenetnow.com> wrote:
>>> I can't boot my machine with out using the noauto switch on my nfs
>>> mount, presumeably, because ipfw has'nt set up a tule to allow lo0
>>> access.
>>
>> That doesn't sound right.  The order of the rc.d scripts is set up to
>> allow NFS mounts:
>>
>> : gothmog:/root# rcorder /etc/rc.d/* | egrep -e 'ipfw|mount'
>> : /etc/rc.d/mountcritlocal
>> : /etc/rc.d/ipfw
>> : /etc/rc.d/mountcritremote
>> : /etc/rc.d/mountd
>> : gothmog:/root#
>>
>> Are you sure you are not blocking NFS mounts in your firewall ruleset?
>
> I may have left out a key piece of info:

Indeed.

> I am not using a ipfw.rules sh script. I am using Webmin, which loads
> the ipfw.rules in the rc.local file. I don't know alot about the order
> of operations as far as the rc files go, but assume the rc.local is of
> the last ones to run, likely after mounts normally take place.

Then it's webmin that's giving you trouble.  This is *NOT* a good way to
load the firewall rules.  The rc.local script runs always after all the
other startup scripts have finished.  This is too late in the boot
sequence to load firewall rules, because network services may have
bumped into problems with the default firewall policy already.

The carefully crafted set of dependencies that the startup scripts use
ensures that this won't happen, but you have to work *with* the system
and not against it as webmin does.  I think I understand why a web-based
interface would find it easier to bypass the canonical way of setting up
a firewall ruleset with FreeBSD, but it still sucks a bit.

One way to load the ipfw rules at the right moment is to load ipfw from
the /etc/rc.conf file:

	firewall_enable="YES"
	firewall_quiet="YES"
	firewall_logging="YES"
	firewall_type="/etc/ipfw.rules"

Then write your rules in /etc/ipfw.rules just as you would pass them to
the command line of ipfw(8), i.e.:

	add pass udp from any to any via fxp0

This will load the firewall rules *before* any attempt to mount NFS
shared directories is made, and it will all Just Work(TM).

> Are there any background or timeout switches that can be used on nfs
> mounts in the fstab?

Read the mount_nfs(8) manpage.  Pay careful attention to the description
of the -b option :-)

Note that forking off a background process that will attempt to
asynchronously mount a filesystem is NOT good for all the filesystems.
It may be useful at times, but it's dangerous to use for filesystems
like /usr or /var.

If you fork off a mount_nfs process in /etc/rc.d/mountcritremote and let
that script finish ``normally'', the rest of the startup scripts will
assume that /usr is already mounted and attempt to access files within
it.  They will, of course, fail miserably and you'll end up with an
incomplete or half-working boot.

Definitely, not a good idea.

More information about the freebsd-questions mailing list