From owner-freebsd-questions@FreeBSD.ORG Wed Nov 30 03:57:15 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A49516A41F for ; Wed, 30 Nov 2005 03:57:15 +0000 (GMT) (envelope-from ml@proficuous.com) Received: from mail.proficuous.com (www.proficuous.com [209.240.79.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id E95BE43D67 for ; Wed, 30 Nov 2005 03:57:07 +0000 (GMT) (envelope-from ml@proficuous.com) Received: from webmail.proficuous.com (workhorse.proficuous.com [127.0.0.1]) by mail.proficuous.com (Postfix) with SMTP id 390C9A89455; Tue, 29 Nov 2005 21:56:59 -0600 (CST) Received: from 192.168.3.69 (SquirrelMail authenticated user ml@proficuous.com) by webmail.proficuous.com with HTTP; Tue, 29 Nov 2005 21:56:59 -0600 (CST) Message-ID: <65229.192.168.3.69.1133323019.squirrel@webmail.proficuous.com> In-Reply-To: <438D1D95.7010503@mac.com> References: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> <438D1894.90500@mac.com> <63871.192.168.3.69.1133320948.squirrel@webmail.proficuous.com> <438D1D95.7010503@mac.com> Date: Tue, 29 Nov 2005 21:56:59 -0600 (CST) From: "Aaron P. Martinez" To: "Chuck Swiger" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Cc: "Aaron P. Martinez" , freebsd-questions@freebsd.org Subject: Re: pf blocking nfs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 03:57:15 -0000 > Aaron P. Martinez wrote: > [ ... ] >> Actually my network looks like this: >> >> INT---firewall------internal router/firewall---------good lan >> | | >> | |---------insecure lan (windoze >> machines) >> | >> |----DMZ >> >> the good lan is the only one that does nfs, so the nfs doesn't actually >> pass through the firewall, just connects to the internal >> router/firewall. >> I am simply trying to avoid a worst case scenario (internal router gets >> compromised) so trying to allow ONLY return packets. Is this >> unfeasable? > > I take it that your internal firewall box has three NICs, then? > > Normally, your firewall should not be doing anything else but security > and would not be mounting NFS or depending on any other services on your > network. If that is not possible, you should permit traffic through the > interface on the "good LAN". > > -- > -Chuck the "main" firewall, which connects to the internet does nothing else but filter incoming connections, but i'm a little more lax with the internal which seperates my my lans (and actually there are 3 bad lans, one good, and the connection to the main firewall... so 5 nics) the problem i'm experiencing isn't with the firewall on the nfs server, it has always seemed to work, even with linux workstation when i had only one rule in iptables on the input chain: iptables -A INPUT -m state -ESTABLISHED -j ACCEPT ......that seems to be fine (iptables), the workstation is where the problems seem to arise. When the aforementioned 3 line pf.conf is enabled i can connect to and mount the nfs /home directory, just when i try to go into or list the contents of a large directory, it seems that pf loses the state for some reason. I realize i could just accept all udp packets from the NFS server or even just ports 2049, but the underlying question is, why isn't my "keep state" rule handling this. thanks again, Aaron Martinez