Date: Wed, 30 Nov 2005 17:42:30 -0600 From: Aaron Martinez <ml@proficuous.com> To: Roland Smith <rsmith@xs4all.nl>, FreeBSD-questions@freebsd.org Subject: Re: pf blocking nfs Message-ID: <200511301742.31258.ml@proficuous.com> In-Reply-To: <20051130170210.GB1587@slackbox.xs4all.nl> References: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> <20051130170210.GB1587@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 30 November 2005 11:02, Roland Smith wrote: > On Tue, Nov 29, 2005 at 08:58:48PM -0600, Aaron P. Martinez wrote: > > I am running FreeBSD 6.0-release and setting up a very basic firewall > > using pf on my workstation. The ruleset is as follows: > > > > block in log all > > pass quick on lo0 all > > #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state > > pass out on fxp0 proto { tcp, udp, icmp } all keep state > > <snip> > > > I can't tell why this isn't working. I know that udp is stateless, but i > > was inclined to believe that you could still use state tracking with pf. > > I'd really like to have the firewall in place when this machine is > > connected to the internet... > > Reading the pf manuals, it is supposed to work. > > Have you tried explicitly letting the required traffic through? > > pass out on fxp0 proto { tcp, udp } to $nfsserver port { sunrpc, > nfsd-status, nfsd, lockd } keep state > > Where $nfsserver is the server's IP address. > > If that still doesn't work, try: > > pass out on fxp0 proto { tcp, udp } from any to $nfsserver port { sunrpc, > nfsd-status, nfsd, lockd } pass in on fxp0 proto { tcp, udp } from > $nfsserver to any port { sunrpc, nfsd-status, nfsd, lockd } > > > Roland I thought for sure the last example here would solve the issue, but i'm still stumped. My current ruleset is as follows: block in log all pass quick on lo0 all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state pass out on fxp0 proto { tcp, udp, icmp } all keep state pass out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd, nfsd-status, lockd } keep state pass in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd, nfsd-status, lockd } keep state That didn't work so i tried: block in log all pass quick on lo0 all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state pass out on fxp0 proto { tcp, udp, icmp } all keep state pass out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd, nfsd-status, lockd } pass in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd, nfsd-status, lockd } which was even worse, with this setup i couldn't even switch to the /home directory. Still no go. I'm not sure if i have to reboot after changing the pf.conf ruleset, i have just been stopping pf with pfctl -d, flushing the rules with pfctl -F rules, loading the modified rules from /etc/pf.con with, pfctl -f /etc/pf.conf and then re-enabling pf with, pfctl -e. Hope someone can shed some light on this. Part of my whole reason for switcing to the BSDs was my interest in pf, but this not keeping state is really letting me down. I've said this before but i feel like it's worth mentioning again, even with the single line: pass out on fxp0 proto { tcp, udp, icmp } all keep state i can switch to the /usr/home directory and even go into any directory that doesn't have a lot of files/folders in it. I only seem to have problem with one home directory that is really loaded up. Thanks again, Aaron martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511301742.31258.ml>