Site Navigation

Date:      Thu, 1 Dec 2005 01:53:48 +0100
From:      Roland Smith <rsmith@xs4all.nl>
To:        Aaron Martinez <ml@proficuous.com>
Cc:        FreeBSD-questions@freebsd.org
Subject:   Re: pf blocking nfs
Message-ID:  <20051201005348.GB15959@slackbox.xs4all.nl>
In-Reply-To: <200511301742.31258.ml@proficuous.com>
References:  <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> <20051130170210.GB1587@slackbox.xs4all.nl> <200511301742.31258.ml@proficuous.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Nov 30, 2005 at 05:42:30PM -0600, Aaron Martinez wrote:
> On Wednesday 30 November 2005 11:02, Roland Smith wrote:
> > On Tue, Nov 29, 2005 at 08:58:48PM -0600, Aaron P. Martinez wrote:
> > > I am running FreeBSD 6.0-release and setting up a very basic firewall
> > > using pf on my workstation.  The ruleset is as follows:
> > >
> > > block in log all
> > > pass quick on lo0 all
> > > #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> > > pass  out on fxp0 proto { tcp, udp, icmp } all keep state
> >
> > <snip>
> >
> > > I can't tell why this isn't working.  I know that udp is stateless, b=
ut i
> > > was inclined to believe that you could still use state tracking with =
pf.
> > > I'd really like to have the firewall in place when this machine is
> > > connected to the internet...
> >
> > Reading the pf manuals, it is supposed to work.
> >
> > Have you tried explicitly letting the required traffic through?
> >
> > pass out on fxp0 proto { tcp, udp } to $nfsserver port { sunrpc,
> > nfsd-status, nfsd, lockd } keep state
> >
> > Where $nfsserver is the server's IP address.
> >
> > If that still doesn't work, try:
> >
> > pass out on fxp0 proto { tcp, udp } from  any to $nfsserver port { sunr=
pc,
> > nfsd-status, nfsd, lockd } pass in on fxp0 proto { tcp, udp } from
> > $nfsserver to any port { sunrpc, nfsd-status, nfsd, lockd }
> >
> >
> > Roland
>=20
> I thought for sure the last example here would solve the issue, but i'm s=
till=20
> stumped.  My current ruleset is as follows:
>=20
> block in log all
> pass quick on lo0 all
> #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> pass  out on fxp0 proto { tcp, udp, icmp } all keep state
> pass  out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd,=
=20
> nfsd-status, lockd } keep state
> pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd=
,=20
> nfsd-status, lockd } keep state
>=20
> That didn't work so i tried:
>=20
> block in log all
> pass quick on lo0 all
> #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> pass  out on fxp0 proto { tcp, udp, icmp } all keep state
> pass  out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd,=
=20
> nfsd-status, lockd }
> pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd=
,=20
> nfsd-status, lockd }

I think this should be

pass  in on fxp0 proto { tcp, udp } from 192.168.3.94 to any port { sunrpc,=
 nfsd, nfsd-status, lockd }
=20
You could also try:

pass in on fxp0 proto { tcp, udp } from 192.168.3.94 to $workstation
pass out on fxp0 proto { tcp, udp } from $workstation to 192.168.3.94

If that doesn't work, I don't know what will.

> which was even worse, with this setup i couldn't even switch to the /home=
=20
> directory.
>=20
> Still no go.  I'm not sure if i have to reboot after changing the pf.conf=
=20
> ruleset, i have just been stopping pf with pfctl -d, flushing the rules w=
ith=20
> pfctl -F rules, loading the modified rules from /etc/pf.con with, pfctl=
=20
> -f /etc/pf.conf and then re-enabling pf with, pfctl -e.  Hope someone can=
=20
> shed some light on this.  Part of my whole reason for switcing to the BSD=
s=20
> was my interest in pf, but this not keeping state is really letting me do=
wn.

I think the best way is to use '/etc/rc.d/pf reload'.
=20
> I've said this before but i feel like it's worth mentioning again, even w=
ith=20
> the single line:
> pass  out on fxp0 proto { tcp, udp, icmp } all keep state
>=20
> i can switch to the /usr/home directory and even go into any directory th=
at=20
> doesn't have a lot of files/folders in it.  I only seem to have problem w=
ith=20
> one home directory that is really loaded up.

In your original post, there was something about a short packet. I'm
guessing this might screw things up. You might try adding 'scrub in all'
before the filtering rules.

Roland
--=20
R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text.
public key: http://www.xs4all.nl/~rsmith/pubkey.txt

--8P1HSweYDcXXzwPJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDjkmcEnfvsMMhpyURAniWAKCGoFhdd2PrL8HG1jXJyEcDUuaEXwCfYfMm
X9l4ZG8Bpn6ZzyFvMiH2D8A=
=iDPs
-----END PGP SIGNATURE-----

--8P1HSweYDcXXzwPJ--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051201005348.GB15959>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact