From owner-freebsd-questions@FreeBSD.ORG Thu Dec 1 00:53:52 2005 Return-Path: X-Original-To: FreeBSD-questions@freebsd.org Delivered-To: FreeBSD-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE8A316A41F for ; Thu, 1 Dec 2005 00:53:52 +0000 (GMT) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr11.xs4all.nl (smtp-vbr11.xs4all.nl [194.109.24.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5137B43D64 for ; Thu, 1 Dec 2005 00:53:50 +0000 (GMT) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr11.xs4all.nl (8.13.3/8.13.3) with ESMTP id jB10rmhM030304; Thu, 1 Dec 2005 01:53:48 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 526A2B850; Thu, 1 Dec 2005 01:53:48 +0100 (CET) Date: Thu, 1 Dec 2005 01:53:48 +0100 From: Roland Smith To: Aaron Martinez Message-ID: <20051201005348.GB15959@slackbox.xs4all.nl> Mail-Followup-To: Aaron Martinez , FreeBSD-questions@freebsd.org References: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> <20051130170210.GB1587@slackbox.xs4all.nl> <200511301742.31258.ml@proficuous.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8P1HSweYDcXXzwPJ" Content-Disposition: inline In-Reply-To: <200511301742.31258.ml@proficuous.com> User-Agent: Mutt/1.4.2.1i X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! X-Virus-Scanned: by XS4ALL Virus Scanner Cc: FreeBSD-questions@freebsd.org Subject: Re: pf blocking nfs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 00:53:52 -0000 --8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 30, 2005 at 05:42:30PM -0600, Aaron Martinez wrote: > On Wednesday 30 November 2005 11:02, Roland Smith wrote: > > On Tue, Nov 29, 2005 at 08:58:48PM -0600, Aaron P. Martinez wrote: > > > I am running FreeBSD 6.0-release and setting up a very basic firewall > > > using pf on my workstation. The ruleset is as follows: > > > > > > block in log all > > > pass quick on lo0 all > > > #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state > > > pass out on fxp0 proto { tcp, udp, icmp } all keep state > > > > > > > > > I can't tell why this isn't working. I know that udp is stateless, b= ut i > > > was inclined to believe that you could still use state tracking with = pf. > > > I'd really like to have the firewall in place when this machine is > > > connected to the internet... > > > > Reading the pf manuals, it is supposed to work. > > > > Have you tried explicitly letting the required traffic through? > > > > pass out on fxp0 proto { tcp, udp } to $nfsserver port { sunrpc, > > nfsd-status, nfsd, lockd } keep state > > > > Where $nfsserver is the server's IP address. > > > > If that still doesn't work, try: > > > > pass out on fxp0 proto { tcp, udp } from any to $nfsserver port { sunr= pc, > > nfsd-status, nfsd, lockd } pass in on fxp0 proto { tcp, udp } from > > $nfsserver to any port { sunrpc, nfsd-status, nfsd, lockd } > > > > > > Roland >=20 > I thought for sure the last example here would solve the issue, but i'm s= till=20 > stumped. My current ruleset is as follows: >=20 > block in log all > pass quick on lo0 all > #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state > pass out on fxp0 proto { tcp, udp, icmp } all keep state > pass out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd,= =20 > nfsd-status, lockd } keep state > pass in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd= ,=20 > nfsd-status, lockd } keep state >=20 > That didn't work so i tried: >=20 > block in log all > pass quick on lo0 all > #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state > pass out on fxp0 proto { tcp, udp, icmp } all keep state > pass out on fxp0 proto { tcp, udp } to 192.168.3.94 port { sunrpc, nfsd,= =20 > nfsd-status, lockd } > pass in on fxp0 proto { tcp, udp } from 192.168.3.94 port { sunrpc, nfsd= ,=20 > nfsd-status, lockd } I think this should be pass in on fxp0 proto { tcp, udp } from 192.168.3.94 to any port { sunrpc,= nfsd, nfsd-status, lockd } =20 You could also try: pass in on fxp0 proto { tcp, udp } from 192.168.3.94 to $workstation pass out on fxp0 proto { tcp, udp } from $workstation to 192.168.3.94 If that doesn't work, I don't know what will. > which was even worse, with this setup i couldn't even switch to the /home= =20 > directory. >=20 > Still no go. I'm not sure if i have to reboot after changing the pf.conf= =20 > ruleset, i have just been stopping pf with pfctl -d, flushing the rules w= ith=20 > pfctl -F rules, loading the modified rules from /etc/pf.con with, pfctl= =20 > -f /etc/pf.conf and then re-enabling pf with, pfctl -e. Hope someone can= =20 > shed some light on this. Part of my whole reason for switcing to the BSD= s=20 > was my interest in pf, but this not keeping state is really letting me do= wn. I think the best way is to use '/etc/rc.d/pf reload'. =20 > I've said this before but i feel like it's worth mentioning again, even w= ith=20 > the single line: > pass out on fxp0 proto { tcp, udp, icmp } all keep state >=20 > i can switch to the /usr/home directory and even go into any directory th= at=20 > doesn't have a lot of files/folders in it. I only seem to have problem w= ith=20 > one home directory that is really loaded up. In your original post, there was something about a short packet. I'm guessing this might screw things up. You might try adding 'scrub in all' before the filtering rules. Roland --=20 R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDjkmcEnfvsMMhpyURAniWAKCGoFhdd2PrL8HG1jXJyEcDUuaEXwCfYfMm X9l4ZG8Bpn6ZzyFvMiH2D8A= =iDPs -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ--