Date: Tue, 29 Nov 2005 20:58:48 -0600 (CST) From: "Aaron P. Martinez" <ml@proficuous.com> To: freebsd-questions@freebsd.org Subject: pf blocking nfs Message-ID: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com>
next in thread | raw e-mail | index | archive | help
I am running FreeBSD 6.0-release and setting up a very basic firewall using pf on my workstation. The ruleset is as follows: block in log all pass quick on lo0 all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state pass out on fxp0 proto { tcp, udp, icmp } all keep state I am mounting /home on a linux machine to /usr/home on my workstation as i have done for years. I'm new to freebsd but i have nfs_client_enable="YES" and rpcbind_enable="YES", which by all documentation i have read should be more than enough. The problem i'm experiencing is that pf is blocking nfs packets and my workstation thinks that the nfs server is not responding. to further complicate this, directories that don't have much in them on the exported server seem to work fine but users that have a ton of stuff just hang when trying to list the contents or switch to the direcotry. disabling pf will make things start working again. One more glitch is that sometimes, not often, things work as expected even with pf enabled. I can't figure what's going on. Below is some output from pflog as it's blocking the nfs packets. 000235 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 239) 192.168.3.94.138 > 192.168.3.95.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x42BE IP=192 (0xc0).168 (0xa8).3 (0x3).94 (0x5e) Port=138 (0x8a) Length=197 (0xc5) Res2=0x0 SourceName= WARNING: Short packet. Try increasing the snap length 202. 510573 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000083 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000122 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000121 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000125 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000072 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4076, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp 1. 587911 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000084 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000134 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000124 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000119 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000051 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4077, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp 3. 167948 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000096 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000125 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000118 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000131 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000078 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4078, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp 6. 326312 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.3.94.2049 > 192.168.3.69.325876150: reply ok 1472 000094 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 1480, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000114 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 2960, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000124 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 4440, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000125 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 5920, flags [+], proto: UDP (17), length: 1500) 192.168.3.94 > 192.168.3.69: udp 000050 rule 0/0(match): block in on fxp0: (tos 0x0, ttl 64, id 4079, offset 7400, flags [none], proto: UDP (17), length: 828) 192.168.3.94 > 192.168.3.69: udp I can't tell why this isn't working. I know that udp is stateless, but i was inclined to believe that you could still use state tracking with pf. I'd really like to have the firewall in place when this machine is connected to the internet... TIA, Aaron Martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?60336.192.168.3.69.1133319528.squirrel>