IPFW & NFS

[Ian Smith]

Re: freebsd-questions Digest, Vol 157, Issue 12
Message: 25

vittorio <vdemart1 at tin.it> wrote:

 > Well I tried something similar to your
 > ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
 > ipfw add 300 allow udp from 10.0.0.2 to 10.0.0.1 2049,111,1022 setup 
 > keep-state
 > (it differs from your line for the setup option).
 > It ddidn't worked at all.

As mentioned earlier, 'setup' only applies to TCP.  And I'm not entirely
sure that covers all the UDP ports needed, but I can't check right now.

 > Afterwards, following Cuck's advise, I had a go at modifying the ipfw firewall 
 > in the nfs client 10.0.0.2 (no firewall for the time being on the nfs server 
 > 10.0.0.1) and added towards the end of the list, immediatedly before the very 
 > laste line denying everything else
 > 
 > 50000 allow ip from 10.0.0.1 to 10.0.0.2
 > 51000 allow ip from 10.0.0.2 to 10.0.0.1
 > 65535 deny ip from any to any 

Well that would work, if there are no other blocking rules before those. 

 > It seemed to works.... partially! I mean that I could mount_nfs the share in 
 > the client, surfing the directories, reading and writing files in the share, 
 > BUT ... out of the blue, after some minutes the client freezed and I had to 
 > reboot :-( brutally turning off and on the box.

Even in (rare) cases where brutality is required, the reset button is a
lot easier on the box.  However I doubt your 'freeze' here has anything
to do with your firewall rules.  We haven't much info to go on so far: 

Are you using the standard NFS options on both server and client?
If not, what options?

Are you running rpc.statd and/or rpc.lockd on the server?  client?

Have you tried using TCP rather than UDP mode? (mount_nfs -T)
or interruptible mounts (-i)?  Maybe slower, but likely safer.

Have you tried running tcpdump on either box to watch the traffic?

If you show us what you _are_ trying, we won't have to guess ..

Cheers, Ian

[Please cc me also, digests often arrive after quite some delay]

 > Help please
 > Vittorio
 > 
 > Alle 05:25, giovedì 23 novembre 2006, Ian Smith ha scritto:
 > > vittorio <vdemiart1 at tin.it> wrote:
 > >  > I have two FreeBSD 6.1 boxes one of which (IP 10.0.0.1) is an NFS server
 > >  > and the other one (IP 10.0.0.2) is, among other things, an NFS client
 > >  > sharing directories with the NFS server.
 > >  > It all works correctly and I can mount_nfs all the directories from the
 > >  > server.
 > >  > BUT, I'm now trying to use an IPFW firewall both on the server and on
 > >  > the client. My simple aim is to setup connections between the 10.0.0.1
 > >  > server and the 10.0.0.2 client ** only **; no connections should be
 > >  > possible with other clients!
 > >  > Now I've tried the poor documentation I could find googling with the
 > >  > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share on
 > >  > te client because something goes wrong with RPC.
 > >  > Concentrating on the client side (no ipfw for the moment on teh server)
 > >  > I tried the following
 > >  >
 > >  > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to 10.0.0.2 via fxp0
 > >  > setup keep-state
 > >  >
 > >  > OR
 > >  > ipfw add 300 allow ip from 10.0.0.1 to 10.0.0.2  2049,111,1022 via fxp0
 > >  > setup keep-state
 > >  >
 > >  > OR
 > >  > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to me via fxp0 setup
 > >  > keep-state
 > >  >
 > >  > OR
 > >  > ipfw add 300 allow ip from 10.0.0.1 to me  2049,111,1022 via fxp0 setup
 > >  > keep-state
 > >  >
 > >  > If I disable the firewall it all goes smootly.
 > >
 > > Firstly, what Chuck and Bill said .. but some further points ..
 > >
 > > Secondly, you don't specify port numbers with 'allow ip', which covers
 > > tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
 > > course you're using NFS over TCP as well, where you'd need 'allow tcp'.
 > > Note also that 'setup' only applies to TCP connections.
 > >
 > > Thirdly, if you do want to use stateful rules on the client, you'll do
 > > better doing them on your _outbound_ connections, something like:
 > >
 > >   ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
 > >
 > > If it were me I'd concentrate on the server side firewall rules (and
 > > /etc/exports allowed hosts) both for allowing desired and disallowing
 > > undesired connections, so not having to worry much about what client/s
 > > may or may not be doing.
 > >
 > > 'man ipfw' is actually pretty good documentation, though there is a fair
 > > bit to absorb there.  I still read it before bedtime now and again :)
 > >
 > > Ciao, Ian