From owner-freebsd-questions@FreeBSD.ORG Wed Jan 25 15:00:37 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C49E616A420 for ; Wed, 25 Jan 2006 15:00:37 +0000 (GMT) (envelope-from mark@frasa.net) Received: from smtp-out0.tiscali.nl (smtp-out0.tiscali.nl [195.241.79.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 614D843D49 for ; Wed, 25 Jan 2006 15:00:36 +0000 (GMT) (envelope-from mark@frasa.net) Received: from [195.241.5.2] (helo=[10.31.11.180]) by smtp-out0.tiscali.nl with esmtp (Tiscali http://www.tiscali.nl) id 1F1m8S-0004Z9-15 for ; Wed, 25 Jan 2006 16:00:36 +0100 Message-ID: <43D79293.9090509@frasa.net> Date: Wed, 25 Jan 2006 16:00:35 +0100 From: Mark Frasa User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: nl-NL, nl, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <43D73F10.70408@frasa.net> <43D7827A.2050206@mac.com> In-Reply-To: <43D7827A.2050206@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFW / NFSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 15:00:38 -0000 Chuck Swiger schreef: > Mark Frasa wrote: > >>I am currently running 1 HTTP server on FreeBSD 6.0 >> >>Offcourse, like anyone that likes security, i am running IPFW and set >>the kernel to block by default. >> >>Behind that HTTP server i am running 2 Linux boxes. >> >>The problem is that when i enable the firewall and openup ports from >>rpcinfo -p: > > [ ... ] > >>I opened up all these ports but i cant do an ls or write to nfs or >>whatever. > > > You should not be running portmap and NFS on a firewall machine. You should not > attempt to pass NFS or other filesharing through a firewall, except perhaps by > using VPN tunneling. > > If this existing machine needs to do NFS to your other Linux boxes, it should be > placed behind a properly hardened firewall which perhaps uses NAT to forward > HTTP connections inside to it. > Let me explain more into detail; I have: INTERNET FIREWALL/NFSD/HTTPD Machine LINUXBOX LINUXBOX The boxes are on a /24 network and the firewall has 2 ip's 1 for local and 1 for outside connections, but both in the same subnet. I want to use a $secure ip for nfsd and ssh connection, while using @arcas as an ip for port 80 connections What i don't get is when i openup the $secureip for the /24 network i still get timeouts when writing to nfsd. Mark.