Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Nov 2006 16:25:03 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        vittorio <vdemart1@tin.it>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPFW & NFS
Message-ID:  <Pine.BSF.3.96.1061123153915.5597A-100000@gaia.nimnet.asn.au>
In-Reply-To: <20061123011938.6505416A596@hub.freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
vittorio <vdemart1@tin.it> wrote:

 > I have two FreeBSD 6.1 boxes one of which (IP 10.0.0.1) is an NFS server and 
 > the other one (IP 10.0.0.2) is, among other things, an NFS client sharing 
 > directories with the NFS server.
 > It all works correctly and I can mount_nfs all the directories from the 
 > server.
 > BUT, I'm now trying to use an IPFW firewall both on the server and on the 
 > client. My simple aim is to setup connections between the 10.0.0.1 server and 
 > the 10.0.0.2 client ** only **; no connections should be possible with other 
 > clients!
 > Now I've tried the poor documentation I could find googling with the 
 > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share on te 
 > client because something goes wrong with RPC.
 > Concentrating on the client side (no ipfw for the moment on teh server) I 
 > tried the following
 > 
 > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to 10.0.0.2 via fxp0 setup 
 > keep-state
 > 
 > OR
 > ipfw add 300 allow ip from 10.0.0.1 to 10.0.0.2  2049,111,1022 via fxp0 setup 
 > keep-state
 >   
 > OR
 > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to me via fxp0 setup 
 > keep-state
 > 
 > OR
 > ipfw add 300 allow ip from 10.0.0.1 to me  2049,111,1022 via fxp0 setup 
 > keep-state
 > 
 > If I disable the firewall it all goes smootly.

Firstly, what Chuck and Bill said .. but some further points ..

Secondly, you don't specify port numbers with 'allow ip', which covers
tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
course you're using NFS over TCP as well, where you'd need 'allow tcp'. 
Note also that 'setup' only applies to TCP connections.

Thirdly, if you do want to use stateful rules on the client, you'll do
better doing them on your _outbound_ connections, something like:

  ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state

If it were me I'd concentrate on the server side firewall rules (and
/etc/exports allowed hosts) both for allowing desired and disallowing
undesired connections, so not having to worry much about what client/s
may or may not be doing.

'man ipfw' is actually pretty good documentation, though there is a fair
bit to absorb there.  I still read it before bedtime now and again :)

Ciao, Ian




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1061123153915.5597A-100000>