Date: Sun, 27 Apr 2003 20:08:11 -0500 (CDT) From: Robert Johannes <rjohanne@piper.hamline.edu> To: freebsd-ipfw@freebsd.org Subject: nfs and ipfw Message-ID: <Pine.GSO.4.44.0304271329390.2317-100000@mendeleev.hamline.edu> In-Reply-To: <200304271259.02025.ajacoutot@lphp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I recently built a 4.8-stable system, with firewalling. It is not a gateway/router, just an nfs and samba server, but I built in the firewall so I can prohibit potential traffic from the router/gateway in case it was broken into. I'm using normal ipfw, with the following rules: allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any allow tcp from any to any established allow ip from any to any frag allow tcp from any to any setup allow ip from $nfsclient to $fileserver keep-state allow ip from xx.xx.xx.1 to $fileserver keep-state deny ip from any to any The router/gateway is at xx.xx.xx.254. I'm able to mount the filesystems from the $fileserver, but I'm not able to write a substantial amount of data to the filesystems; I can create a file by 'touching' one on the nfs filesyste, but I can't copy a big file onto the filesystem. I have successfully copied a file as big as the /etc/hosts files (a few bytes). >From watching tcpdump, it seems that any time there's significant i/o on the nfs filesystem, the fileserver stops responding, and I note the following lines repeated perhaps a hundred or more times: 15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560) 15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+) 15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+) 15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+) 15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+) 15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+) 15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+) 15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+) 15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+) At this point I get an "nfs: server $nfsserver not responding, timed out" message logged on the nfsclient. I'm pretty sure it has to do with my ipfw configuration, but I can't pinpoint the problem. Any ideas? robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0304271329390.2317-100000>