pf blocking nfs

Thu Dec 1 00:53:52 GMT 2005

On Wed, Nov 30, 2005 at 05:42:30PM -0600, Aaron Martinez wrote:
> On Wednesday 30 November 2005 11:02, Roland Smith wrote:
> > On Tue, Nov 29, 2005 at 08:58:48PM -0600, Aaron P. Martinez wrote:
> > > I am running FreeBSD 6.0-release and setting up a very basic firewall
> > > using pf on my workstation.  The ruleset is as follows:
> > >
> > > block in log all
> > > pass quick on lo0 all
> > > #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> > > pass  out on fxp0 proto { tcp, udp, icmp } all keep state
> >
> > <snip>
> >
> > > I can't tell why this isn't working.  I know that udp is stateless, but i
> > > was inclined to believe that you could still use state tracking with pf.
> > > I'd really like to have the firewall in place when this machine is
> > > connected to the internet...
> >
> > Reading the pf manuals, it is supposed to work.
> >
> > Have you tried explicitly letting the required traffic through?
> >
> > pass out on fxp0 proto { tcp, udp } to $nfsserver port { sunrpc,
> > nfsd-status, nfsd, lockd } keep state
> >
> > Where $nfsserver is the server's IP address.
> >
> > If that still doesn't work, try:
> >
> > pass out on fxp0 proto { tcp, udp } from  any to $nfsserver port { sunrpc,
> > nfsd-status, nfsd, lockd } pass in on fxp0 proto { tcp, udp } from
> > $nfsserver to any port { sunrpc, nfsd-status, nfsd, lockd }
> >
> >
> > Roland
> 
> I thought for sure the last example here would solve the issue, but i'm still 
> stumped.  My current ruleset is as follows:
> 
> block in log all
> pass quick on lo0 all
> #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> pass  out on fxp0 proto { tcp, udp, icmp } all keep state
> pass  out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd, 
> nfsd-status, lockd } keep state
> pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd, 
> nfsd-status, lockd } keep state
> 
> That didn't work so i tried:
> 
> block in log all
> pass quick on lo0 all
> #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> pass  out on fxp0 proto { tcp, udp, icmp } all keep state
> pass  out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd, 
> nfsd-status, lockd }
> pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd, 
> nfsd-status, lockd }

I think this should be

pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 to any port { sunrpc, nfsd, nfsd-status, lockd }

You could also try:

pass in on fxp0 proto { tcp, udp } from 192.168.3.94 to $workstation
pass out on fxp0 proto { tcp, udp } from $workstation to 192.168.3.94

If that doesn't work, I don't know what will.

> which was even worse, with this setup i couldn't even switch to the /home 
> directory.
> 
> Still no go.  I'm not sure if i have to reboot after changing the pf.conf 
> ruleset, i have just been stopping pf with pfctl -d, flushing the rules with 
> pfctl -F rules, loading the modified rules from /etc/pf.con with, pfctl 
> -f /etc/pf.conf and then re-enabling pf with, pfctl -e.  Hope someone can 
> shed some light on this.  Part of my whole reason for switcing to the BSDs 
> was my interest in pf, but this not keeping state is really letting me down.

I think the best way is to use '/etc/rc.d/pf reload'.

> I've said this before but i feel like it's worth mentioning again, even with 
> the single line:
> pass  out on fxp0 proto { tcp, udp, icmp } all keep state
> 
> i can switch to the /usr/home directory and even go into any directory that 
> doesn't have a lot of files/folders in it.  I only seem to have problem with 
> one home directory that is really loaded up.

In your original post, there was something about a short packet. I'm
guessing this might screw things up. You might try adding 'scrub in all'
before the filtering rules.

Roland
-- 
R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text.
public key: http://www.xs4all.nl/~rsmith/pubkey.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051201/fc8e68ba/attachment.bin