Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 29 Nov 2005 21:22:28 -0600 (CST)
From:      "Aaron P. Martinez" <ml@proficuous.com>
To:        "Chuck Swiger" <cswiger@mac.com>
Cc:        "Aaron P. Martinez" <ml@proficuous.com>, freebsd-questions@freebsd.org
Subject:   Re: pf blocking nfs
Message-ID:  <63871.192.168.3.69.1133320948.squirrel@webmail.proficuous.com>
In-Reply-To: <438D1894.90500@mac.com>
References:  <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> <438D1894.90500@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Aaron P. Martinez wrote:
>> I am running FreeBSD 6.0-release and setting up a very basic firewall
>> using pf on my workstation.  The ruleset is as follows:
>>
>> block in log all
>> pass quick on lo0 all
>> #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
>> pass  out on fxp0 proto { tcp, udp, icmp } all keep state
>
> Your firewall config is not enough to permit NFS to pass.  You might
> consider adding a "pass all" rule for machines on the local subnet.
>
> [ Perhaps you should re-evaluate your network so that you do not attempt
> to pass NFS through the firewall.  If you have to do filesharing between
> machines over an untrusted connection, should should consider a VPN or
> SSH tunnel approach instead. ]
>
> --
> -Chuck

Actually my network looks like this:

INT---firewall------internal router/firewall---------good lan
        |                        |
        |                        |---------insecure lan (windoze machines)
        |
        |----DMZ

the good lan is the only one that does nfs, so the nfs doesn't actually
pass through the firewall, just connects to the internal router/firewall. 
I am simply trying to avoid a worst case scenario (internal router gets
compromised) so trying to allow ONLY return packets.  Is this unfeasable? 
Can you suggest a rule instead of:
pass  out on fxp0 proto { tcp, udp, icmp } all keep state

or in addition to that would still keep me very secure and at the same
time allow me to use nfs as i'm trying?

thanks for the quick reply,

Aaron Martinez

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63871.192.168.3.69.1133320948.squirrel>