From owner-freebsd-questions@FreeBSD.ORG Wed Nov 30 03:12:40 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 852A416A423 for ; Wed, 30 Nov 2005 03:12:40 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F88643DAB for ; Wed, 30 Nov 2005 03:12:23 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 536745F3B; Tue, 29 Nov 2005 22:12:19 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62841-05; Tue, 29 Nov 2005 22:12:17 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-122-227.ny325.east.verizon.net [68.161.122.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 46B6A5F33; Tue, 29 Nov 2005 22:12:17 -0500 (EST) Message-ID: <438D1894.90500@mac.com> Date: Tue, 29 Nov 2005 22:12:20 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Aaron P. Martinez" References: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> In-Reply-To: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: pf blocking nfs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 03:12:40 -0000 Aaron P. Martinez wrote: > I am running FreeBSD 6.0-release and setting up a very basic firewall > using pf on my workstation. The ruleset is as follows: > > block in log all > pass quick on lo0 all > #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state > pass out on fxp0 proto { tcp, udp, icmp } all keep state Your firewall config is not enough to permit NFS to pass. You might consider adding a "pass all" rule for machines on the local subnet. [ Perhaps you should re-evaluate your network so that you do not attempt to pass NFS through the firewall. If you have to do filesharing between machines over an untrusted connection, should should consider a VPN or SSH tunnel approach instead. ] -- -Chuck