From owner-freebsd-questions Fri Oct 11 13:20: 3 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E08837B401 for ; Fri, 11 Oct 2002 13:20:00 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC74F43E91 for ; Fri, 11 Oct 2002 13:19:59 -0700 (PDT) (envelope-from daleco@daleco.biz) Received: from DaleCoportable [12.145.236.17] by mail.gbronline.com (SMTPD32-7.13) id A21DB3A301F6; Fri, 11 Oct 2002 15:18:37 -0500 Message-ID: <00d801c27163$526113f0$11ec910c@DaleCoportable> From: "DaleCo, S.P.---'the solutions people'" To: , References: <20021011200948.7904C43E88@mx1.FreeBSD.org> Subject: Re: NFS rules for ipfw Date: Fri, 11 Oct 2002 15:18:09 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Straining for clues here. Maybe needs to be keep-state rules? We should probably RTM and/or do a little other research on what ports NFS is using, and how it's using them, etc. Have you done any packet sniffing on your LAN to see what's happening when the FW is blocking NFS? Cheers, Kevin Kinsey DaleCo, S.P. ----- Original Message ----- From: "Mark" To: Sent: Friday, October 11, 2002 3:09 PM Subject: NFS rules for ipfw > > > Hello! > > I've got a little server here that is acting as a nat/router and firewall to > connect our home to the internet. > > i would, in addition, like to run NFS on this machine so that computers on > the internal network can share disks from it . (Yes, I realize this is > sub-optimal and an NFS server should theoretically be a separate machine, but > there are cost and space issues here ...) > > The problem is, I have a "simple" firewall up and running on this machine > that prevents the internal machines from connecting to the server via NFS. > (I've already verified changing the firewall to "open" allows NFS client > access). > > My Question is: Is there a set of rules I can add to the server to allow NFS > clients from the LOCAL network only, but still prevent NFS requests from the > outside net? > > I've tried things like: > > ${fwcmd} add pass udp from ${inet}:${imask} to ${iip} 2049 > ${fwcmd} add pass tcp from ${inet}:${imask} to ${iip} 2049 > > and similar rules for port 369 (RPC2) and 111 (Sun RPC), but without any luck > -- client machines always give RPC Timed Out messages on mounts or any other > request. > > Any suggestions? > > Thanks, > Mark. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message