IPFW & NFS
Ian Smith
smithi at nimnet.asn.au
Fri Nov 24 00:05:46 PST 2006
Re: freebsd-questions Digest, Vol 157, Issue 12
Message: 25
vittorio <vdemart1 at tin.it> wrote:
> Well I tried something similar to your
> ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
> ipfw add 300 allow udp from 10.0.0.2 to 10.0.0.1 2049,111,1022 setup
> keep-state
> (it differs from your line for the setup option).
> It ddidn't worked at all.
As mentioned earlier, 'setup' only applies to TCP. And I'm not entirely
sure that covers all the UDP ports needed, but I can't check right now.
> Afterwards, following Cuck's advise, I had a go at modifying the ipfw firewall
> in the nfs client 10.0.0.2 (no firewall for the time being on the nfs server
> 10.0.0.1) and added towards the end of the list, immediatedly before the very
> laste line denying everything else
>
> 50000 allow ip from 10.0.0.1 to 10.0.0.2
> 51000 allow ip from 10.0.0.2 to 10.0.0.1
> 65535 deny ip from any to any
Well that would work, if there are no other blocking rules before those.
> It seemed to works.... partially! I mean that I could mount_nfs the share in
> the client, surfing the directories, reading and writing files in the share,
> BUT ... out of the blue, after some minutes the client freezed and I had to
> reboot :-( brutally turning off and on the box.
Even in (rare) cases where brutality is required, the reset button is a
lot easier on the box. However I doubt your 'freeze' here has anything
to do with your firewall rules. We haven't much info to go on so far:
Are you using the standard NFS options on both server and client?
If not, what options?
Are you running rpc.statd and/or rpc.lockd on the server? client?
Have you tried using TCP rather than UDP mode? (mount_nfs -T)
or interruptible mounts (-i)? Maybe slower, but likely safer.
Have you tried running tcpdump on either box to watch the traffic?
If you show us what you _are_ trying, we won't have to guess ..
Cheers, Ian
[Please cc me also, digests often arrive after quite some delay]
> Help please
> Vittorio
>
> Alle 05:25, giovedì 23 novembre 2006, Ian Smith ha scritto:
> > vittorio <vdemiart1 at tin.it> wrote:
> > > I have two FreeBSD 6.1 boxes one of which (IP 10.0.0.1) is an NFS server
> > > and the other one (IP 10.0.0.2) is, among other things, an NFS client
> > > sharing directories with the NFS server.
> > > It all works correctly and I can mount_nfs all the directories from the
> > > server.
> > > BUT, I'm now trying to use an IPFW firewall both on the server and on
> > > the client. My simple aim is to setup connections between the 10.0.0.1
> > > server and the 10.0.0.2 client ** only **; no connections should be
> > > possible with other clients!
> > > Now I've tried the poor documentation I could find googling with the
> > > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share on
> > > te client because something goes wrong with RPC.
> > > Concentrating on the client side (no ipfw for the moment on teh server)
> > > I tried the following
> > >
> > > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to 10.0.0.2 via fxp0
> > > setup keep-state
> > >
> > > OR
> > > ipfw add 300 allow ip from 10.0.0.1 to 10.0.0.2 2049,111,1022 via fxp0
> > > setup keep-state
> > >
> > > OR
> > > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to me via fxp0 setup
> > > keep-state
> > >
> > > OR
> > > ipfw add 300 allow ip from 10.0.0.1 to me 2049,111,1022 via fxp0 setup
> > > keep-state
> > >
> > > If I disable the firewall it all goes smootly.
> >
> > Firstly, what Chuck and Bill said .. but some further points ..
> >
> > Secondly, you don't specify port numbers with 'allow ip', which covers
> > tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
> > course you're using NFS over TCP as well, where you'd need 'allow tcp'.
> > Note also that 'setup' only applies to TCP connections.
> >
> > Thirdly, if you do want to use stateful rules on the client, you'll do
> > better doing them on your _outbound_ connections, something like:
> >
> > ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
> >
> > If it were me I'd concentrate on the server side firewall rules (and
> > /etc/exports allowed hosts) both for allowing desired and disallowing
> > undesired connections, so not having to worry much about what client/s
> > may or may not be doing.
> >
> > 'man ipfw' is actually pretty good documentation, though there is a fair
> > bit to absorb there. I still read it before bedtime now and again :)
> >
> > Ciao, Ian
More information about the freebsd-questions
mailing list