From owner-freebsd-questions@FreeBSD.ORG Sun Apr 3 18:06:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38C6516A4CE for ; Sun, 3 Apr 2005 18:06:26 +0000 (GMT) Received: from neptune.atopia.net (neptune.atopia.net [209.128.231.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBD6443D31 for ; Sun, 3 Apr 2005 18:06:25 +0000 (GMT) (envelope-from matt@atopia.net) Received: from [192.168.0.102] (pcp173257pcs.plsntv01.nj.comcast.net [68.46.70.16]) by neptune.atopia.net (Postfix) with ESMTP id 5314340B4; Sun, 3 Apr 2005 14:06:25 -0400 (EDT) Message-ID: <425030A0.4000809@atopia.net> Date: Sun, 03 Apr 2005 14:06:24 -0400 From: Matt Juszczak User-Agent: Mozilla Thunderbird 0.9 (X11/20041129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= References: <424F8B94.7050006@atopia.net> <424FCDD3.6040507@locolomo.org> In-Reply-To: <424FCDD3.6040507@locolomo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-questions@freebsd.org Subject: Re: IPFILTER and NFS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Apr 2005 18:06:26 -0000 Problem is that I need to firewall the client. I dont have access to the nfs server... only the client. Your configuration info showed me making changes on the server. is there a way to make the client work ok? -Matt Erik Nørgaard wrote: > Matt Juszczak wrote: > >> Howdy, >> >> Trying to get IPFILTER and NFS working. A google search didn't show >> much about my specific issue. With ipfilter working, nfs initially >> works, until someone tries to login. Then it stops working. With my >> firewall down on the NFS-CLIENT machine, it works fine. Any ideas? >> >> It appears to be an issue with random ports.... > > > It is, NFS is an RPC service where the RPC deamon is requested to for > info on which port mountd binds to. I wrote an howto for diskless > clients, www.daemonsecurity.com/pxe/ - here's what to do: > > Enable nfs in /etc/rc.conf: > > rpcbind_enable="YES" # Run the portmapper service (YES/NO). > nfs_server_enable="YES" # This host is an NFS server (or NO). > mountd_enable="YES" # Run mountd (or NO). > mountd_flags="-r -p 59" # Force mountd to bind on port 59 > > As a minimum you need to enable rpcbind, nfsserver and mountd. lockd > and statd provides file locking and status monitoring. By default, > when mountd starts it binds to some arbitrary port, and rpc is used to > discover which, making it imposible to firewall. With option '-p' > mountd can be forced to bind to a specific port. Port 59 is assigned > to "any private file service" (see /etc/services). > > This limits the number of ports relevant to 59, 111 and 2049. You > can't force lockd and statd to bind to specific ports (they are alos > RPC services) and AFAIK you can't have disk quotas work correctly > because of this. > > AFAIK NFS4 should address these problems, but the NFS4 server is still > experimental. > > Till then, RPC is a security nightmare. > > Erik