From owner-freebsd-questions  Thu Jun  1 15:43:55 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from d192-85.uoregon.edu (d192-85.uoregon.edu [128.223.192.85])
	by hub.freebsd.org (Postfix) with SMTP id 420CC37BE42
	for <questions@freebsd.org>; Thu,  1 Jun 2000 15:43:47 -0700 (PDT)
	(envelope-from chaos@zen.oftheinter.net)
Received: (qmail 44107 invoked from network); 1 Jun 2000 22:43:45 -0000
Received: from unknown (HELO monolith) (192.168.0.2)
  by d192-85.uoregon.edu with SMTP; 1 Jun 2000 22:43:45 -0000
Message-Id: <4.2.0.58.20000601150925.00a50e18@192.168.0.1>
X-Sender: chaos@192.168.0.1
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Thu, 01 Jun 2000 15:19:45 -0700
To: questions@freebsd.org
From: Jon Nelson <chaos@zen.oftheinter.net>
Subject: nfs + ipfw problem
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I was wondering what I need to do to allow nfs on a machine that has a 
relatively paranoid firewall set up with ipfw.  There is only one machine I 
need to access with files on it from the firewalled machine, and since it 
is run by me a trust it.

The pertinent parts of my firewall rules are as follows:

fwcmd=/sbin/ipfw
nfssrv=ip of nfs server, on a different subnet
ip=my ip address

${fwcmd} add 90 pass ip from ${nfssrv} to any          # allow all access 
from nfs server
${fwcmd} add 100 pass tcp from any to any established           # allow 
established TCP connections
${fwcmd} add 100 pass all from any to any frag         # allow fragmented 
tcp packets

# ... some bland rules for DNS, ssh, auth, etc..

${fwcmd} add 100 pass icmp from any to ${ip}  #  \___ allow all ICMP
${fwcmd} add 100 pass icmp from ${ip} to any  #  /

${fwcmd} add 200 deny log tcp from any to any setup   # deny everything 
else, and log it for fun and profit


Now, when I try and mount from that machine I get the following error:
NFS Portmap: RPC: Port mapper failure - RPC: Unable to send

The odd thing is, if I change the first rule (90) from ``allow ip from 
${nfssrv} to ``allow ip from any'', it works fine... I am stumped.

--jn


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message