pf blocking nfs

[Aaron P. Martinez]

> Aaron P. Martinez wrote:
> [ ... ]
>> Actually my network looks like this:
>>
>> INT---firewall------internal router/firewall---------good lan
>>         |                        |
>>         |                        |---------insecure lan (windoze
>> machines)
>>         |
>>         |----DMZ
>>
>> the good lan is the only one that does nfs, so the nfs doesn't actually
>> pass through the firewall, just connects to the internal
>> router/firewall.
>> I am simply trying to avoid a worst case scenario (internal router gets
>> compromised) so trying to allow ONLY return packets.  Is this
>> unfeasable?
>
> I take it that your internal firewall box has three NICs, then?
>
> Normally, your firewall should not be doing anything else but security
> and would not be mounting NFS or depending on any other services on your
> network.  If that is not possible, you should permit traffic through the
> interface on the "good LAN".
>
> --
> -Chuck

the "main" firewall, which connects to the internet does nothing else but
filter incoming connections, but i'm a little more lax with the internal
which seperates my my lans (and actually there are 3 bad lans, one good,
and the connection to the main firewall...  so 5 nics)  the problem i'm
experiencing isn't with the firewall on the nfs server, it has always
seemed to work, even with linux workstation when i had only one rule in
iptables on the input chain:

iptables -A INPUT -m state -ESTABLISHED -j ACCEPT

......that seems to be fine (iptables), the workstation is where the
problems seem to arise.  When the aforementioned 3 line pf.conf is enabled
i can connect to and mount the nfs /home directory, just when i try to go
into or list the contents of a large directory, it seems that pf loses the
state for some reason.

I realize i could just accept all udp packets from the NFS server or even
just ports 2049, but the underlying question is, why isn't my "keep state"
rule handling this.

thanks again,

Aaron Martinez