Date: Thu, 14 Dec 2006 23:23:08 -0800 From: Garrett Cooper <youshi10@u.washington.edu> To: freebsd-questions@freebsd.org Subject: ipf and dealing with inbound RPC services Message-ID: <45824D5C.30600@u.washington.edu>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello once again, Just setup ipf on my freebsd server, and I'm having some issues with RPC services and my firewall rules. I run nfsd and smbd, exporting my directories to a number of clients, and everything works without the firewall running, but stuff doesn't work with it running in smbd. Here are my effective rules for the server so far: [root@hoover /home/gcooper]# ipfstat -i pass in quick on lo0 all block in quick from any to any with frag block in quick from 172.16.0.0/12 to any block in quick from 10.0.0.0/8 to any block in quick from 127.0.0.0/8 to any block in quick from 0.0.0.0/8 to any block in quick from 169.254.0.0/16 to any block in quick from 192.0.2.0/24 to any block in quick from 204.152.64.0/23 to any block in quick from 224.0.0.0/3 to any pass in quick proto tcp from any to 192.168.0.100/32 port = ssh flags S/FSRPAU keep state pass in quick proto tcp/udp from any to any port = sunrpc keep state pass in quick proto tcp/udp from any to any port 830 >< 884 keep state pass in quick proto tcp/udp from any to any port 137 >< 139 keep state pass in quick proto tcp/udp from any to any port = microsoft-ds keep state pass in quick proto tcp/udp from any to any port = nfsd keep state pass in quick proto tcp/udp from any to any port = 3632 keep state pass in quick proto icmp from any to 192.168.0.100/32 keep state [root@hoover /home/gcooper]# ipfstat -o pass out quick on lo0 all pass out quick all keep state nfsd works, but only after experimenting with the open ports a bit. Figured out that rpcbind semi-randomly selects ports for mountd and I have to write a script to auto-add rules for the ports it creates for mountd. As for smbd, I can't seem to get incoming packets past the ipf firewall. Would anyone have any ideas for why things aren't working for smbd and have solutions for how you got your ipf firewall to work with smbd? All the solutions I can find after some searching have to deal with Solaris or ancient versions of Freebsd (2.1... eep). TIA, - -Garrett -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgk1bEnKyINQw/HARAr3yAJ9L4lZcsj16a3m+ls+1S6MxfrVAvgCdFyWh ClC5K3YxBiXtzkMsouyKih8= =uDi2 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45824D5C.30600>