Date: Fri, 11 Oct 2002 13:56:01 -0700 From: Mark <mw@lanfear.com> To: "DaleCo, S.P.---'the solutions people'" <daleco@daleco.biz>, <questions@FreeBSD.ORG> Subject: Re: NFS rules for ipfw Message-ID: <20021011205606.DD65443E88@mx1.FreeBSD.org> In-Reply-To: <00d801c27163$526113f0$11ec910c@DaleCoportable> References: <20021011200948.7904C43E88@mx1.FreeBSD.org> <00d801c27163$526113f0$11ec910c@DaleCoportable>
next in thread | previous in thread | raw e-mail | index | archive | help
It's been remarkably non trivial to find out what ports NFS is using. A
search through a few NFS and TCP programming books here have yielded little,
as has google.
However, I did do a tcpdump on the failed connect, and there was activity on
the sunrpc port, and then 713, 714, and 1023 (all UDP).
I'll fiddle with more ipfw rules and see what i can't come up with. My
relative beginner's status with firewalls becomes apparent rapidly ....
Thanks,
Mark.
On Friday 11 October 2002 13:18, DaleCo, S.P.---'the solutions people' wrote:
> Straining for clues here. Maybe needs to be keep-state rules?
> We should probably RT<F>M and/or do a little other research
> on what ports NFS is using, and how it's using them, etc.
>
> Have you done any packet sniffing on your LAN to see
> what's happening when the FW is blocking NFS?
>
> Cheers,
>
> Kevin Kinsey
> DaleCo, S.P.
> ----- Original Message -----
> From: "Mark" <mw@lanfear.com>
> To: <questions@FreeBSD.ORG>
> Sent: Friday, October 11, 2002 3:09 PM
> Subject: NFS rules for ipfw
>
> > Hello!
> >
> > I've got a little server here that is acting as a nat/router and
>
> firewall to
>
> > connect our home to the internet.
> >
> > i would, in addition, like to run NFS on this machine so that
>
> computers on
>
> > the internal network can share disks from it . (Yes, I realize
>
> this is
>
> > sub-optimal and an NFS server should theoretically be a separate
>
> machine, but
>
> > there are cost and space issues here ...)
> >
> > The problem is, I have a "simple" firewall up and running on this
>
> machine
>
> > that prevents the internal machines from connecting to the server
>
> via NFS.
>
> > (I've already verified changing the firewall to "open" allows NFS
>
> client
>
> > access).
> >
> > My Question is: Is there a set of rules I can add to the server to
>
> allow NFS
>
> > clients from the LOCAL network only, but still prevent NFS requests
>
> from the
>
> > outside net?
> >
> > I've tried things like:
> >
> > ${fwcmd} add pass udp from ${inet}:${imask} to ${iip} 2049
> > ${fwcmd} add pass tcp from ${inet}:${imask} to ${iip} 2049
> >
> > and similar rules for port 369 (RPC2) and 111 (Sun RPC), but
>
> without any luck
>
> > -- client machines always give RPC Timed Out messages on mounts or
>
> any other
>
> > request.
> >
> > Any suggestions?
> >
> > Thanks,
> > Mark.
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021011205606.DD65443E88>