From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 27 18:11:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A195737B401 for ; Sun, 27 Apr 2003 18:11:50 -0700 (PDT) Received: from russell.hamline.edu (russell.hamline.edu [138.192.24.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A5D943F3F for ; Sun, 27 Apr 2003 18:11:47 -0700 (PDT) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper [138.192.2.101]) by russell.hamline.edu (8.11.6+Sun/8.11.6) with ESMTP id h3S1Bkl15510 for ; Sun, 27 Apr 2003 20:11:46 -0500 (CDT) Received: from mendeleev.hamline.edu (mendeleev [138.192.2.109]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id h3S1Cadm001005 for ; Sun, 27 Apr 2003 20:12:40 -0500 (CDT) Received: from localhost (rjohanne@localhost) by mendeleev.hamline.edu (8.9.1b+Sun/8.9.1) with ESMTP id UAA02473 for ; Sun, 27 Apr 2003 20:08:11 -0500 (CDT) X-Authentication-Warning: mendeleev.hamline.edu: rjohanne owned process doing -bs Date: Sun, 27 Apr 2003 20:08:11 -0500 (CDT) From: Robert Johannes X-X-Sender: rjohanne@mendeleev.hamline.edu To: freebsd-ipfw@freebsd.org In-Reply-To: <200304271259.02025.ajacoutot@lphp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: nfs and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 01:11:51 -0000 I recently built a 4.8-stable system, with firewalling. It is not a gateway/router, just an nfs and samba server, but I built in the firewall so I can prohibit potential traffic from the router/gateway in case it was broken into. I'm using normal ipfw, with the following rules: allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any allow tcp from any to any established allow ip from any to any frag allow tcp from any to any setup allow ip from $nfsclient to $fileserver keep-state allow ip from xx.xx.xx.1 to $fileserver keep-state deny ip from any to any The router/gateway is at xx.xx.xx.254. I'm able to mount the filesystems from the $fileserver, but I'm not able to write a substantial amount of data to the filesystems; I can create a file by 'touching' one on the nfs filesyste, but I can't copy a big file onto the filesystem. I have successfully copied a file as big as the /etc/hosts files (a few bytes). >From watching tcpdump, it seems that any time there's significant i/o on the nfs filesystem, the fileserver stops responding, and I note the following lines repeated perhaps a hundred or more times: 15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560) 15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+) 15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+) 15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+) 15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+) 15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+) 15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+) 15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+) 15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+) At this point I get an "nfs: server $nfsserver not responding, timed out" message logged on the nfsclient. I'm pretty sure it has to do with my ipfw configuration, but I can't pinpoint the problem. Any ideas? robert