From owner-freebsd-questions Fri Oct 11 13:56:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FF4B37B401 for ; Fri, 11 Oct 2002 13:56:07 -0700 (PDT) Received: from akira.lanfear.com (akira.lanfear.com [216.168.61.84]) by mx1.FreeBSD.org (Postfix) with SMTP id DD65443E88 for ; Fri, 11 Oct 2002 13:56:06 -0700 (PDT) (envelope-from mw@lanfear.com) Received: (qmail 67622 invoked from network); 11 Oct 2002 20:56:06 -0000 Received: from akira.lanfear.com (HELO there) (216.168.61.84) by akira.lanfear.com with SMTP; 11 Oct 2002 20:56:06 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Mark Reply-To: mw@lanfear.com To: "DaleCo, S.P.---'the solutions people'" , Subject: Re: NFS rules for ipfw Date: Fri, 11 Oct 2002 13:56:01 -0700 X-Mailer: KMail [version 1.3.1] References: <20021011200948.7904C43E88@mx1.FreeBSD.org> <00d801c27163$526113f0$11ec910c@DaleCoportable> In-Reply-To: <00d801c27163$526113f0$11ec910c@DaleCoportable> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20021011205606.DD65443E88@mx1.FreeBSD.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It's been remarkably non trivial to find out what ports NFS is using. A search through a few NFS and TCP programming books here have yielded little, as has google. However, I did do a tcpdump on the failed connect, and there was activity on the sunrpc port, and then 713, 714, and 1023 (all UDP). I'll fiddle with more ipfw rules and see what i can't come up with. My relative beginner's status with firewalls becomes apparent rapidly .... Thanks, Mark. On Friday 11 October 2002 13:18, DaleCo, S.P.---'the solutions people' wrote: > Straining for clues here. Maybe needs to be keep-state rules? > We should probably RTM and/or do a little other research > on what ports NFS is using, and how it's using them, etc. > > Have you done any packet sniffing on your LAN to see > what's happening when the FW is blocking NFS? > > Cheers, > > Kevin Kinsey > DaleCo, S.P. > ----- Original Message ----- > From: "Mark" > To: > Sent: Friday, October 11, 2002 3:09 PM > Subject: NFS rules for ipfw > > > Hello! > > > > I've got a little server here that is acting as a nat/router and > > firewall to > > > connect our home to the internet. > > > > i would, in addition, like to run NFS on this machine so that > > computers on > > > the internal network can share disks from it . (Yes, I realize > > this is > > > sub-optimal and an NFS server should theoretically be a separate > > machine, but > > > there are cost and space issues here ...) > > > > The problem is, I have a "simple" firewall up and running on this > > machine > > > that prevents the internal machines from connecting to the server > > via NFS. > > > (I've already verified changing the firewall to "open" allows NFS > > client > > > access). > > > > My Question is: Is there a set of rules I can add to the server to > > allow NFS > > > clients from the LOCAL network only, but still prevent NFS requests > > from the > > > outside net? > > > > I've tried things like: > > > > ${fwcmd} add pass udp from ${inet}:${imask} to ${iip} 2049 > > ${fwcmd} add pass tcp from ${inet}:${imask} to ${iip} 2049 > > > > and similar rules for port 369 (RPC2) and 111 (Sun RPC), but > > without any luck > > > -- client machines always give RPC Timed Out messages on mounts or > > any other > > > request. > > > > Any suggestions? > > > > Thanks, > > Mark. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message