From owner-freebsd-questions@FreeBSD.ORG  Mon Apr  4 03:40:16 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A7F2816A4CE
	for <freebsd-questions@freebsd.org>;
	Mon,  4 Apr 2005 03:40:16 +0000 (GMT)
Received: from neptune.atopia.net (neptune.atopia.net [209.128.231.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2A8A743D48
	for <freebsd-questions@freebsd.org>;
	Mon,  4 Apr 2005 03:40:16 +0000 (GMT)	(envelope-from matt@atopia.net)
Received: from [192.168.0.102] (pcp173257pcs.plsntv01.nj.comcast.net
	[68.46.70.16])
	by neptune.atopia.net (Postfix) with ESMTP id 782F440E7;
	Sun,  3 Apr 2005 23:40:15 -0400 (EDT)
Message-ID: <4250B71F.60309@atopia.net>
Date: Sun, 03 Apr 2005 23:40:15 -0400
From: Matt Juszczak <matt@atopia.net>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041129)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= <norgaard@locolomo.org>
References: <424F8B94.7050006@atopia.net> <424FCDD3.6040507@locolomo.org>
	<425030A0.4000809@atopia.net> <42503A76.20309@locolomo.org>
In-Reply-To: <42503A76.20309@locolomo.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
cc: freebsd-questions@freebsd.org
Subject: Re: IPFILTER and NFS
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2005 03:40:16 -0000

Erik,

I already have that :-(


---snip---
# Default pass out
pass out quick on em0 all keep state

# Fragmented/Short/Opts/Fprinting packets
block in quick on em0 all with ipopts
block in quick on em0 all with frag
block in quick on em0 proto tcp all with short
block in quick on em0 proto tcp all flags FUP

# Block local nets
block in quick on em0 from 255.255.255.255/32 to any
block in quick on em0 from 192.168.0.0/16 to any
block in quick on em0 from 172.16.0.0/12 to any
block in quick on em0 from 127.0.0.0/8 to any
block in quick on em0 from 10.0.0.0/8 to any
block in quick on em0 from 0.0.0.0/32 to any
---snip---


Erik Nørgaard wrote:

> Matt Juszczak wrote:
>
>> I dont have access to the nfs server... only the client.  Your 
>> configuration info showed me making changes on the server.  is there 
>> a way to make the client work ok?
>
>
> Just let your client connect to any port on the server - keep state so 
> you can block incoming connections:
>
> pass out quick on <interface> proto tcp from <client>/32 \
>     to <nfs-server>/32 flags S keep state
> pass out quick on <interface> proto udp from <client>/32 \
>     to <nfs-server>/32 keep state
>
> Erik