Date: Wed, 25 Jan 2006 13:58:53 +0100 From: Mark Frasa <mark@frasa.net> To: fbsd_user@a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: Re: IPFW / NFSD Message-ID: <43D7760D.7080504@frasa.net> In-Reply-To: <MIEPLLIBMLEEABPDBIEGGEAIHMAA.fbsd_user@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGGEAIHMAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
fbsd_user schreef:
>
> Post complete content of your rules file for review by people here
> on list.
>
>
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mark Frasa
> Sent: Wednesday, January 25, 2006 4:04 AM
> To: freebsd-questions@freebsd.org
> Subject: IPFW / NFSD
>
>
> Hello,
>
> I am currently running 1 HTTP server on FreeBSD 6.0
>
> Offcourse, like anyone that likes security, i am running IPFW and
> set
> the kernel to block by default.
>
> Behind that HTTP server i am running 2 Linux boxes.
>
> The problem is that when i enable the firewall and openup ports from
> rpcinfo -p:
>
> program vers proto port service
> 100000 4 tcp 111 rpcbind
> 100000 3 tcp 111 rpcbind
> 100000 2 tcp 111 rpcbind
> 100000 4 udp 111 rpcbind
> 100000 3 udp 111 rpcbind
> 100000 2 udp 111 rpcbind
> 100000 4 local 111 rpcbind
> 100000 3 local 111 rpcbind
> 100000 2 local 111 rpcbind
> 100005 1 udp 668 mountd
> 100005 3 udp 668 mountd
> 100005 1 tcp 984 mountd
> 100005 3 tcp 984 mountd
> 100003 2 udp 2049 nfs
> 100003 3 udp 2049 nfs
> 100003 2 tcp 2049 nfs
> 100003 3 tcp 2049 nfs
>
> I opened up all these ports but i cant do an ls or write to nfs or
> whatever.
> Then i thought maybe it's trying something local so i added:
>
> $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state
>
> Even this does not work.
>
> Tcpdump shows me that when i have ipfw open, it only communicates
> with
> port 2049 and i don't see anything more.
>
> Can anybody help me out here?
>
> Additional info:
>
> { alltid@arcas } uname -a
> FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4
> 15:45:38 UTC 2006 markfra@arcas:/usr/obj/usr/src/sys/ARCAS i386
>
>
> Mark.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Here is the list:
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="vr0" # public interface name of NIC
# facing the public Internet
secure="ip2.of.this.box"
arcas="ip.of.this.box"
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state
$cmd 00100 allow ip from any to any out via $pif keep-state
$cmd 00200 allow tcp from any to $arcas 80 in via $pif
$cmd 00310 allow icmp from any to any in via $pif
# Allow in secure from selected ip's
$cmd 00410 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state
$cmd 00411 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state
# Allow in nfs requests on secured ip from own network only
$cmd 00425 allow ip from x.x.x.x/24 to $secure setup keep-state
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
Mark.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43D7760D.7080504>