From owner-freebsd-questions@FreeBSD.ORG Fri Dec 15 07:23:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8103E16A415 for ; Fri, 15 Dec 2006 07:23:11 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from mxout2.cac.washington.edu (mxout2.cac.washington.edu [140.142.33.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8326E43CB1 for ; Fri, 15 Dec 2006 07:21:30 +0000 (GMT) (envelope-from youshi10@u.washington.edu) Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.141]) by mxout2.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id kBF7N90P014735 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 14 Dec 2006 23:23:10 -0800 X-Auth-Received: from [192.168.0.101] (dsl254-013-145.sea1.dsl.speakeasy.net [216.254.13.145]) (authenticated authid=youshi10) by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id kBF7N9bO005455 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 14 Dec 2006 23:23:09 -0800 Message-ID: <45824D5C.30600@u.washington.edu> Date: Thu, 14 Dec 2006 23:23:08 -0800 From: Garrett Cooper User-Agent: Thunderbird 1.5.0.8 (X11/20061116) MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-PMX-Version: 5.2.2.285561, Antispam-Engine: 2.5.0.283055, Antispam-Data: 2006.12.14.230434 X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='IP_HTTP_ADDR 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __LINES_OF_YELLING 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0' Subject: ipf and dealing with inbound RPC services X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2006 07:23:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello once again, Just setup ipf on my freebsd server, and I'm having some issues with RPC services and my firewall rules. I run nfsd and smbd, exporting my directories to a number of clients, and everything works without the firewall running, but stuff doesn't work with it running in smbd. Here are my effective rules for the server so far: [root@hoover /home/gcooper]# ipfstat -i pass in quick on lo0 all block in quick from any to any with frag block in quick from 172.16.0.0/12 to any block in quick from 10.0.0.0/8 to any block in quick from 127.0.0.0/8 to any block in quick from 0.0.0.0/8 to any block in quick from 169.254.0.0/16 to any block in quick from 192.0.2.0/24 to any block in quick from 204.152.64.0/23 to any block in quick from 224.0.0.0/3 to any pass in quick proto tcp from any to 192.168.0.100/32 port = ssh flags S/FSRPAU keep state pass in quick proto tcp/udp from any to any port = sunrpc keep state pass in quick proto tcp/udp from any to any port 830 >< 884 keep state pass in quick proto tcp/udp from any to any port 137 >< 139 keep state pass in quick proto tcp/udp from any to any port = microsoft-ds keep state pass in quick proto tcp/udp from any to any port = nfsd keep state pass in quick proto tcp/udp from any to any port = 3632 keep state pass in quick proto icmp from any to 192.168.0.100/32 keep state [root@hoover /home/gcooper]# ipfstat -o pass out quick on lo0 all pass out quick all keep state nfsd works, but only after experimenting with the open ports a bit. Figured out that rpcbind semi-randomly selects ports for mountd and I have to write a script to auto-add rules for the ports it creates for mountd. As for smbd, I can't seem to get incoming packets past the ipf firewall. Would anyone have any ideas for why things aren't working for smbd and have solutions for how you got your ipf firewall to work with smbd? All the solutions I can find after some searching have to deal with Solaris or ancient versions of Freebsd (2.1... eep). TIA, - -Garrett -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgk1bEnKyINQw/HARAr3yAJ9L4lZcsj16a3m+ls+1S6MxfrVAvgCdFyWh ClC5K3YxBiXtzkMsouyKih8= =uDi2 -----END PGP SIGNATURE-----