From owner-freebsd-net@FreeBSD.ORG Sat Jun 16 00:27:30 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 62AB916A41F for ; Sat, 16 Jun 2007 00:27:30 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-07.ohiordc.rr.com (ms-smtp-07.ohiordc.rr.com [65.24.5.141]) by mx1.freebsd.org (Postfix) with ESMTP id 0FF0413C4B0 for ; Sat, 16 Jun 2007 00:27:29 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-07.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l5G0ROVS026532 for ; Fri, 15 Jun 2007 20:27:28 -0400 (EDT) Message-ID: <00a401c7afad$1f106680$0200a8c0@satellite> From: "Dave" To: References: <20070615072734.GC8093@obiwan.tataz.chchile.org> <20070615105950.GH3779@void.codelabs.ru> <4672D09B.9030100@incunabulum.net> Date: Fri, 15 Jun 2007 20:27:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: Firewalling NFS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 00:27:30 -0000 Hello, If anyone is interested i've got nfs going with a pf firewall on 6.2. I use a block by default policy and the client is a linux client, running it's iptables firewall, but it does work. I'm not sure about ipfw it's rule syntax but pf and i think ipf this should do it. The trick is udp and tcp 111, tcp 2049, and tcp 986 udp 669 those last two are so that mountd can be contacted. On the nfs server i have this in rc.conf: rpcbind_enable="YES" rpcbind_flags="-h 192.168.1.44" # i use jails on this box nfs_server_enable="YES" nfs_server_flags="-u -t -n 4 -h 192.168.1.44" # jails on this system mountd_flags="-r" and in my pf.conf file i have: pass in quick on $ext_if inet proto { tcp, udp } from to $ext_if port 111 flags S/SA keep state pass in quick on $ext_if inet proto tcp from to $ext_if port 2049 flags S/SA keep state pass in quick on $ext_if inet proto tcp from to $ext_if port 986 flags S/SA keep state pass in quick on $ext_if inet proto udp from to $ext_if port 669 keep state The only thing i'm not sure of is whether any of the ports will change if the box is rebooted, i've restarted the services several times and they hold the same ports. Hth Dave. ----- Original Message ----- From: "Bruce M. Simpson" To: "Eygene Ryabinkin" Cc: ; "Jeremie Le Hen" Sent: Friday, June 15, 2007 1:47 PM Subject: Re: Firewalling NFS > Eygene Ryabinkin wrote: >> NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd >> and statd have '-p' options: >> ----- >> $ man rpc.lockd rpc.statd | grep -- -p >> rpc.lockd [-d debug_level] [-g grace period] [-p port] >> -p The -p option allow to force the daemon to bind to the >> specified >> rpc.statd [-d] [-p port] >> -p The -p option allow to force the daemon to bind to the >> specified >> ----- >> Are we talking about same entities? >> > > I added the -p switch to mountd(8) a few years ago, as I needed to run a > read-only NFS server exposed to the outside world; to firewall it I needed > a deterministic RPC port number, which is what -p gives you. Otherwise you > have to rely on the TCP wrapper support built into rpcbind(8). The > rpc.lockd and rpc.statd daemons were recently changed to incorporate this > switch too, although I don't think it has been backported to the 6-STABLE > branch yet. > > Regards, > BMS > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"