From owner-freebsd-questions@FreeBSD.ORG Sun Nov 2 22:24:08 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 996D7E9F for ; Sun, 2 Nov 2014 22:24:08 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 61630D2D for ; Sun, 2 Nov 2014 22:24:07 +0000 (UTC) Received: from kabini1.local (rbn1-216-180-19-97.adsl.hiwaay.net [216.180.19.97]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id sA2MO5l6007984 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 2 Nov 2014 16:24:05 -0600 Message-ID: <5456B07C.7030504@hiwaay.net> Date: Sun, 02 Nov 2014 16:30:20 -0600 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 CC: freebsd-questions@freebsd.org Subject: Re: Minor rpc question .... References: <20141103012236.X52402@sola.nimnet.asn.au> <20141103032648.W52402@sola.nimnet.asn.au> In-Reply-To: <20141103032648.W52402@sola.nimnet.asn.au> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Nov 2014 22:24:08 -0000 On 11/02/14 11:12, Ian Smith wrote: > William, I've just seen your response at > http://lists.freebsd.org/pipermail/freebsd-questions/2014-November/262026.html > but as I take questions@ as a digest, I won't get it here till tomorrow > .. I should have asked you to cc me. > > So this is a brief hatchet job: > > > 02500 18777 23476935 allow tcp from 192.168.0.0/16 to me > > 65000 1795 424041 count ip from any to any > > 65100 1371 269257 deny { tcp or udp } from any to any dst-port 111,137,138,513 in > > > w/ port 513 obviously being denied. However, I don't know where that > > is happening :-/ & I thought rule 02500 would let all local traffic > > through .... > > /etc/rc.firewall 'workstation' ruleset allows you to enable inbound > access to services, like rwhod. see /etc/defaults/rc.conf for details > of rc.conf variables, and rc.firewall for how they're invoked. > > Rule 2500 only allows tcp, rwho is udp - but 2500 is a bit sweeping > anyway, perhaps best to enable specific services, even internally? I did that to start w/ & had trouble getting stuff (NFS) to run, so I just opened up all internal traffic, a bit shaky, on my TODO list to fix, might be a good time now :-) .... > > Ah, yes - I see firewall_myservices and firewall_allowservices are only > for TCP services. That's a strange omission, if I'm reading it right, > especially re rpc. > > Rather than fixing this properly now for UDP services, I'd just add into > /etc/rc.firewall after what's now your 2500 or at any rate before 65000: > > ${fwcmd} allow udp from ${mynetwork} 513 to me 513 > > You're already enabling udp services outbound, statefully, which is why > you can query other hosts. Now they'll be able to reach you too :) > > 'service ipfw restart' and you should be good to go. You could remove > 513 from firewall_nologports - but now it'll already be passed by then. > > g'night, Ian > -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.