From owner-freebsd-questions@FreeBSD.ORG Wed Jan 25 12:58:56 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4E7F16A41F for ; Wed, 25 Jan 2006 12:58:56 +0000 (GMT) (envelope-from mark@frasa.net) Received: from smtp-out0.tiscali.nl (smtp-out0.tiscali.nl [195.241.79.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC31843D58 for ; Wed, 25 Jan 2006 12:58:55 +0000 (GMT) (envelope-from mark@frasa.net) Received: from [195.241.5.2] (helo=[10.31.11.180]) by smtp-out0.tiscali.nl with esmtp (Tiscali http://www.tiscali.nl) id 1F1kEh-0002mI-6L; Wed, 25 Jan 2006 13:58:55 +0100 Message-ID: <43D7760D.7080504@frasa.net> Date: Wed, 25 Jan 2006 13:58:53 +0100 From: Mark Frasa User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: nl-NL, nl, en MIME-Version: 1.0 To: fbsd_user@a1poweruser.com References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: IPFW / NFSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 12:58:57 -0000 fbsd_user schreef: > > Post complete content of your rules file for review by people here > on list. > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mark Frasa > Sent: Wednesday, January 25, 2006 4:04 AM > To: freebsd-questions@freebsd.org > Subject: IPFW / NFSD > > > Hello, > > I am currently running 1 HTTP server on FreeBSD 6.0 > > Offcourse, like anyone that likes security, i am running IPFW and > set > the kernel to block by default. > > Behind that HTTP server i am running 2 Linux boxes. > > The problem is that when i enable the firewall and openup ports from > rpcinfo -p: > > program vers proto port service > 100000 4 tcp 111 rpcbind > 100000 3 tcp 111 rpcbind > 100000 2 tcp 111 rpcbind > 100000 4 udp 111 rpcbind > 100000 3 udp 111 rpcbind > 100000 2 udp 111 rpcbind > 100000 4 local 111 rpcbind > 100000 3 local 111 rpcbind > 100000 2 local 111 rpcbind > 100005 1 udp 668 mountd > 100005 3 udp 668 mountd > 100005 1 tcp 984 mountd > 100005 3 tcp 984 mountd > 100003 2 udp 2049 nfs > 100003 3 udp 2049 nfs > 100003 2 tcp 2049 nfs > 100003 3 tcp 2049 nfs > > I opened up all these ports but i cant do an ls or write to nfs or > whatever. > Then i thought maybe it's trying something local so i added: > > $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state > > Even this does not work. > > Tcpdump shows me that when i have ipfw open, it only communicates > with > port 2049 and i don't see anything more. > > Can anybody help me out here? > > Additional info: > > { alltid@arcas } uname -a > FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4 > 15:45:38 UTC 2006 markfra@arcas:/usr/obj/usr/src/sys/ARCAS i386 > > > Mark. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Here is the list: # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="vr0" # public interface name of NIC # facing the public Internet secure="ip2.of.this.box" arcas="ip.of.this.box" $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00100 allow ip from any to any out via $pif keep-state $cmd 00200 allow tcp from any to $arcas 80 in via $pif $cmd 00310 allow icmp from any to any in via $pif # Allow in secure from selected ip's $cmd 00410 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state $cmd 00411 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state # Allow in nfs requests on secured ip from own network only $cmd 00425 allow ip from x.x.x.x/24 to $secure setup keep-state # deny and log all packets that fell through to see what they are $cmd 00999 deny log all from any to any Mark.