Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Nov 2006 19:55:19 +0000
From:      vittorio <>
Subject:   Re: IPFW & NFS
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Well I tried something similar to your
ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
ipfw add 300 allow udp from to 2049,111,1022 setup=20
(it differs from your line for the setup option).
It ddidn't worked at all.

Afterwards, following Cuck's advise, I had a go at modifying the ipfw firew=
in the nfs client (no firewall for the time being on the nfs serve=
r=20 and added towards the end of the list, immediatedly before the ve=
laste line denying everything else

50000 allow ip from to
51000 allow ip from to
65535 deny ip from any to any=20

It seemed to works.... partially! I mean that I could mount_nfs the share i=
the client, surfing the directories, reading and writing files in the share=
BUT ... out of the blue, after some minutes the client freezed and I had to=
reboot :-( brutally turning off and on the box.

Help please

Alle 05:25, gioved=EC 23 novembre 2006, Ian Smith ha scritto:
> vittorio <> wrote:
>  > I have two FreeBSD 6.1 boxes one of which (IP is an NFS serv=
>  > and the other one (IP is, among other things, an NFS client
>  > sharing directories with the NFS server.
>  > It all works correctly and I can mount_nfs all the directories from the
>  > server.
>  > BUT, I'm now trying to use an IPFW firewall both on the server and on
>  > the client. My simple aim is to setup connections between the
>  > server and the client ** only **; no connections should be
>  > possible with other clients!
>  > Now I've tried the poor documentation I could find googling with the
>  > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share =
>  > te client because something goes wrong with RPC.
>  > Concentrating on the client side (no ipfw for the moment on teh server)
>  > I tried the following
>  >
>  > ipfw add 300 allow ip from 2049,111,1022 to via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from to  2049,111,1022 via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 2049,111,1022 to me via fxp0 setup
>  > keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from to me  2049,111,1022 via fxp0 setup
>  > keep-state
>  >
>  > If I disable the firewall it all goes smootly.
> Firstly, what Chuck and Bill said .. but some further points ..
> Secondly, you don't specify port numbers with 'allow ip', which covers
> tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
> course you're using NFS over TCP as well, where you'd need 'allow tcp'.
> Note also that 'setup' only applies to TCP connections.
> Thirdly, if you do want to use stateful rules on the client, you'll do
> better doing them on your _outbound_ connections, something like:
>   ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-sta=
> If it were me I'd concentrate on the server side firewall rules (and
> /etc/exports allowed hosts) both for allowing desired and disallowing
> undesired connections, so not having to worry much about what client/s
> may or may not be doing.
> 'man ipfw' is actually pretty good documentation, though there is a fair
> bit to absorb there.  I still read it before bedtime now and again :)
> Ciao, Ian

Want to link to this message? Use this URL: <>