Site Navigation

Date:      Thu, 16 Sep 2004 03:56:14 -0000
From:      "Florian C. Smeets" <flo@kasimir.com>
To:        pf4freebsd@freelists.org
Subject:   [pf4freebsd] Re: nfsd send error 1 probably caused by pf ?
Message-ID:  <3FB3EB22.8000802@kasimir.com>
In-Reply-To: <20031113032327.GA28113@kt-is.co.kr>
References:  <3FB2ACA6.7030302@kasimir.com> <20031113032327.GA28113@kt-is.co.kr>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Pyun YongHyeon wrote:
> Does nfs client is FreeBSD-CURRENT machine?
clients and server are all -CURRENT from within the last 4 or 5 days

> Which NFS version do you use?(NFS V2 or NFS V3)
> Do you use some special mount options such as -r or -w?

Here is my fstab on the clients:

172.30.1.1:/space/ports /usr/ports  nfs rw,nfsv3,tcp  0       0
172.30.1.1:/space/src   /usr/src    nfs rw,nfsv3,tcp  0       0
172.30.1.1:/space/obj   /usr/obj    nfs rw,nfsv3,tcp  0       0

> Do you have a scrub rule such as 'reassemble tcp'?
> Can you post entire pf ruleset?

it is attached

if i remove this line (the last but one) the problem disapears:

pass out quick on $Int keep state

Yesterday i recognized that it is useless in my config... because of no 
block rules on $Int.

> (I want to reproduce the problem on my box.)
> 
> BTW, there might be bugs in FreeBSD-CURRENT nfs code.
> If you read CURRENT list you already noticed some users reported
> nfs problems.

yeah i saw it.

thanks for the help so far,
flo



-- Attached file included as plaintext by Ecartis --
-- File: pf.conf

### VARIABLEN ###

    Ext = "tun0"            # Device an dem das Internet angeschlossen ist 
    Int = "xl0"      # Device an dem das interne Netz haengt
    IntNet = "172.30.1.0/24"      # Adressraum des internen Netzes
    RouterIP = "172.30.1.1"       # IP Adresse des Routers
    Loop = "lo0"                   # Loopback Device

    # Adressen die auf dem externen Device nicht geroutet werden
    # (Adressbereich des internen Netzes muss man wegen der Weiterleitungen zulassen)
    NoRoute = "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"

    # Ports die geoeffnet werden sollen
    InServicesTCP = "{ ssh, smtp, www, 4661, 4662, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889  }"
    InServicesUDP = "{ 4665, 4672 }"


    ### OPTIONS ###

    # Macht Statistiken fuer die DSL-Verbindung (pfctl -s info)
    set loginterface $Ext

    # Beendet inaktive Verbindungen schneller - geringerer Speicherverbrauch.
    set optimization aggressive

    # Fragmentierte Pakete saeubern
    scrub on $Ext all fragment reassemble random-id


### queueing

#altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
#queue q_pri priority 7
#queue q_def priority 1 priq(default)
#

    ### NAT & FORWARD ###

    # NAT aktivieren (unter Linux als Masquerading bekannt)
    nat on $Ext from $IntNet to any -> $Ext #static-port

    # Active FTP - Umleitung zu unserem ftp-proxy
    #rdr on $Int proto tcp from !$RouterIP to !$IntNet port 21 -> 127.0.0.1 port 8081

# Transparent squid
rdr on $Int inet proto tcp from any to any port www -> 127.0.0.1 port 8080

rdr on $Ext inet proto tcp from any to any port 4661 -> 172.30.1.2 port 4661
rdr on $Ext inet proto tcp from any to any port 4662 -> 172.30.1.2 port 4662
rdr on $Ext inet proto udp from any to any port 4665 -> 172.30.1.2 port 4665
rdr on $Ext inet proto udp from any to any port 4672 -> 172.30.1.2 port 4672
rdr on $Ext inet proto tcp from any to any port 6884 -> 172.30.1.8 port 6884
rdr on $Ext inet proto tcp from any to any port 6885 -> 172.30.1.8 port 6885
rdr on $Ext inet proto tcp from any to any port 6886 -> 172.30.1.8 port 6886
rdr on $Ext inet proto tcp from any to any port 6887 -> 172.30.1.8 port 6887
rdr on $Ext inet proto tcp from any to any port 6888 -> 172.30.1.8 port 6888
rdr on $Ext inet proto tcp from any to any port 6889 -> 172.30.1.8 port 6889

    rdr-anchor redirect


    ### FILTER ###

    # Zum Debuggen....
   #pass quick all             # Alles durchlassen

    # Generelle Block Regel
    block on $Ext

    # Freiwillig machen wir keinen mucks ;)
    block return log on $Ext

    # Wir wollen kein IPv6.0
    block quick inet6

    # Loopback Device darf alles
    pass quick on $Loop

#pass out on $Ext proto tcp from $Ext to any flags S/SA keep state queue (q_def, q_pri)
#pass in  on $Ext proto tcp from any to $Ext flags S/SA keep state queue (q_def, q_pri)

    # Erschwert scannen mit nmap und co.
    block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
    block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
    block in log quick on $Ext inet proto tcp from any to any flags /SFRA


    # Active FTP erlauben
    #pass in quick on $Ext inet proto tcp from any to any port > 49151 user proxy flags S/SAFR keep state

    # Ping akzeptieren (ablehnen ist uebrigends wenig sinnvoll)
    pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

    # Ports nach aussen oeffnen
    pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SAFR keep state label ServicesTCP
    pass in quick on $Ext inet proto udp from any to any port $InServicesUDP

    anchor passin

    # IP Spoofing verhindern
    block in log quick on $Ext inet from $NoRoute to any
    block in log quick on $Ext inet from any to $NoRoute
 

    # Raus darf (fast) alles
    pass out quick on $Int keep state
    pass out quick on $Ext keep state

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FB3EB22.8000802>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact