From owner-freebsd-questions@FreeBSD.ORG Sun Apr 3 11:04:56 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EDD016A4CE for ; Sun, 3 Apr 2005 11:04:56 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C2C943D49 for ; Sun, 3 Apr 2005 11:04:55 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32]) by top.daemonsecurity.com (Postfix) with ESMTP id 09D5CFD068; Sun, 3 Apr 2005 13:04:53 +0200 (CEST) Message-ID: <424FCDD3.6040507@locolomo.org> Date: Sun, 03 Apr 2005 13:04:51 +0200 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= Organization: Locolomo.ORG User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050314 X-Accept-Language: en, en-us, en-gb, da, fr, de, it, es MIME-Version: 1.0 To: Matt Juszczak References: <424F8B94.7050006@atopia.net> In-Reply-To: <424F8B94.7050006@atopia.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: IPFILTER and NFS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Apr 2005 11:04:56 -0000 Matt Juszczak wrote: > Howdy, > > Trying to get IPFILTER and NFS working. A google search didn't show > much about my specific issue. With ipfilter working, nfs initially > works, until someone tries to login. Then it stops working. With my > firewall down on the NFS-CLIENT machine, it works fine. Any ideas? > > It appears to be an issue with random ports.... It is, NFS is an RPC service where the RPC deamon is requested to for info on which port mountd binds to. I wrote an howto for diskless clients, www.daemonsecurity.com/pxe/ - here's what to do: Enable nfs in /etc/rc.conf: rpcbind_enable="YES" # Run the portmapper service (YES/NO). nfs_server_enable="YES" # This host is an NFS server (or NO). mountd_enable="YES" # Run mountd (or NO). mountd_flags="-r -p 59" # Force mountd to bind on port 59 As a minimum you need to enable rpcbind, nfsserver and mountd. lockd and statd provides file locking and status monitoring. By default, when mountd starts it binds to some arbitrary port, and rpc is used to discover which, making it imposible to firewall. With option '-p' mountd can be forced to bind to a specific port. Port 59 is assigned to "any private file service" (see /etc/services). This limits the number of ports relevant to 59, 111 and 2049. You can't force lockd and statd to bind to specific ports (they are alos RPC services) and AFAIK you can't have disk quotas work correctly because of this. AFAIK NFS4 should address these problems, but the NFS4 server is still experimental. Till then, RPC is a security nightmare. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2