From owner-freebsd-questions@FreeBSD.ORG Fri Nov 24 08:05:46 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7C0D216A412 for ; Fri, 24 Nov 2006 08:05:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81C5443D55 for ; Fri, 24 Nov 2006 08:05:03 +0000 (GMT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.4) with ESMTP id TAA20768; Fri, 24 Nov 2006 19:05:35 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 24 Nov 2006 19:05:34 +1100 (EST) From: Ian Smith To: vittorio In-Reply-To: <20061123205910.48C7C16A599@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Cc: freebsd-questions@freebsd.org Subject: Re: IPFW & NFS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 08:05:46 -0000 Re: freebsd-questions Digest, Vol 157, Issue 12 Message: 25 vittorio wrote: > Well I tried something similar to your > ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state > ipfw add 300 allow udp from 10.0.0.2 to 10.0.0.1 2049,111,1022 setup > keep-state > (it differs from your line for the setup option). > It ddidn't worked at all. As mentioned earlier, 'setup' only applies to TCP. And I'm not entirely sure that covers all the UDP ports needed, but I can't check right now. > Afterwards, following Cuck's advise, I had a go at modifying the ipfw firewall > in the nfs client 10.0.0.2 (no firewall for the time being on the nfs server > 10.0.0.1) and added towards the end of the list, immediatedly before the very > laste line denying everything else > > 50000 allow ip from 10.0.0.1 to 10.0.0.2 > 51000 allow ip from 10.0.0.2 to 10.0.0.1 > 65535 deny ip from any to any Well that would work, if there are no other blocking rules before those. > It seemed to works.... partially! I mean that I could mount_nfs the share in > the client, surfing the directories, reading and writing files in the share, > BUT ... out of the blue, after some minutes the client freezed and I had to > reboot :-( brutally turning off and on the box. Even in (rare) cases where brutality is required, the reset button is a lot easier on the box. However I doubt your 'freeze' here has anything to do with your firewall rules. We haven't much info to go on so far: Are you using the standard NFS options on both server and client? If not, what options? Are you running rpc.statd and/or rpc.lockd on the server? client? Have you tried using TCP rather than UDP mode? (mount_nfs -T) or interruptible mounts (-i)? Maybe slower, but likely safer. Have you tried running tcpdump on either box to watch the traffic? If you show us what you _are_ trying, we won't have to guess .. Cheers, Ian [Please cc me also, digests often arrive after quite some delay] > Help please > Vittorio > > Alle 05:25, giovedì 23 novembre 2006, Ian Smith ha scritto: > > vittorio wrote: > > > I have two FreeBSD 6.1 boxes one of which (IP 10.0.0.1) is an NFS server > > > and the other one (IP 10.0.0.2) is, among other things, an NFS client > > > sharing directories with the NFS server. > > > It all works correctly and I can mount_nfs all the directories from the > > > server. > > > BUT, I'm now trying to use an IPFW firewall both on the server and on > > > the client. My simple aim is to setup connections between the 10.0.0.1 > > > server and the 10.0.0.2 client ** only **; no connections should be > > > possible with other clients! > > > Now I've tried the poor documentation I could find googling with the > > > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share on > > > te client because something goes wrong with RPC. > > > Concentrating on the client side (no ipfw for the moment on teh server) > > > I tried the following > > > > > > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to 10.0.0.2 via fxp0 > > > setup keep-state > > > > > > OR > > > ipfw add 300 allow ip from 10.0.0.1 to 10.0.0.2 2049,111,1022 via fxp0 > > > setup keep-state > > > > > > OR > > > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to me via fxp0 setup > > > keep-state > > > > > > OR > > > ipfw add 300 allow ip from 10.0.0.1 to me 2049,111,1022 via fxp0 setup > > > keep-state > > > > > > If I disable the firewall it all goes smootly. > > > > Firstly, what Chuck and Bill said .. but some further points .. > > > > Secondly, you don't specify port numbers with 'allow ip', which covers > > tcp, udp and raw ip packets also; you want 'allow udp' here, unless of > > course you're using NFS over TCP as well, where you'd need 'allow tcp'. > > Note also that 'setup' only applies to TCP connections. > > > > Thirdly, if you do want to use stateful rules on the client, you'll do > > better doing them on your _outbound_ connections, something like: > > > > ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state > > > > If it were me I'd concentrate on the server side firewall rules (and > > /etc/exports allowed hosts) both for allowing desired and disallowing > > undesired connections, so not having to worry much about what client/s > > may or may not be doing. > > > > 'man ipfw' is actually pretty good documentation, though there is a fair > > bit to absorb there. I still read it before bedtime now and again :) > > > > Ciao, Ian