From owner-freebsd-questions@FreeBSD.ORG Wed Nov 30 02:59:23 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C3F916A41F for ; Wed, 30 Nov 2005 02:59:23 +0000 (GMT) (envelope-from ml@proficuous.com) Received: from mail.proficuous.com (www.proficuous.com [209.240.79.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAB1343D95 for ; Wed, 30 Nov 2005 02:59:01 +0000 (GMT) (envelope-from ml@proficuous.com) Received: from webmail.proficuous.com (workhorse.proficuous.com [127.0.0.1]) by mail.proficuous.com (Postfix) with SMTP id 6DB0BA89455 for ; Tue, 29 Nov 2005 20:58:48 -0600 (CST) Received: from 192.168.3.69 (SquirrelMail authenticated user ml@proficuous.com) by webmail.proficuous.com with HTTP; Tue, 29 Nov 2005 20:58:48 -0600 (CST) Message-ID: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> Date: Tue, 29 Nov 2005 20:58:48 -0600 (CST) From: "Aaron P. Martinez" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: pf blocking nfs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 02:59:23 -0000 I am running FreeBSD 6.0-release and setting up a very basic firewall using pf on my workstation. The ruleset is as follows: block in log all pass quick on lo0 all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state pass out on fxp0 proto { tcp, udp, icmp } all keep state I am mounting /home on a linux machine to /usr/home on my workstation as i have done for years. I'm new to freebsd but i have nfs_client_enable="YES" and rpcbind_enable="YES", which by all documentation i have read should be more than enough. The problem i'm experiencing is that pf is blocking nfs packets and my workstation thinks that the nfs server is not responding. to further complicate this, directories that don't have much in them on the exported server seem to work fine but users that have a ton of stuff just hang when trying to list the contents or switch to the direcotry. disabling pf will make things start working again. One more glitch is that sometimes, not often, things work as expected even with pf enabled. I can't figure what's going on. Below is some output from pflog as it's blocking the nfs packets. 000235 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 239) 192.168.3.94.138 > 192.168.3.95.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x42BE IP=192 (0xc0).168 (0xa8).3 (0x3).94 (0x5e) Port=138 (0x8a) Length=197 (0xc5) Res2=0x0 SourceName= WARNING: Short packet. Try increasing the snap length 202. 510573 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000083 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000122 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000121 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000125 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000072 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp 1. 587911 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000084 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000134 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000124 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000119 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000051 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp 3. 167948 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000096 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000125 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000118 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000131 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000078 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp 6. 326312 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000094 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000114 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000124 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000125 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000050 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp I can't tell why this isn't working. I know that udp is stateless, but i was inclined to believe that you could still use state tracking with pf. I'd really like to have the firewall in place when this machine is connected to the internet... TIA, Aaron Martinez