From owner-freebsd-questions@FreeBSD.ORG  Thu Nov 23 18:55:46 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6379F16A47C
	for <freebsd-questions@freebsd.org>;
	Thu, 23 Nov 2006 18:55:46 +0000 (UTC) (envelope-from vdemart1@tin.it)
Received: from vsmtp1.tin.it (vsmtp1.tin.it [212.216.176.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5632843D60
	for <freebsd-questions@freebsd.org>;
	Thu, 23 Nov 2006 18:55:07 +0000 (GMT) (envelope-from vdemart1@tin.it)
Received: from [10.155.100.8] (82.53.171.71) by vsmtp1.tin.it (7.2.072.1)
	(authenticated as vdemart1@tin.it)
	id 455B105500366539 for freebsd-questions@freebsd.org;
	Thu, 23 Nov 2006 19:55:41 +0100
From: vittorio <vdemart1@tin.it>
To: freebsd-questions@freebsd.org
Date: Thu, 23 Nov 2006 19:55:19 +0000
User-Agent: KMail/1.9.4
References: <Pine.BSF.3.96.1061123153915.5597A-100000@gaia.nimnet.asn.au>
In-Reply-To: <Pine.BSF.3.96.1061123153915.5597A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200611231955.20223.vdemart1@tin.it>
Subject: Re: IPFW & NFS
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Nov 2006 18:55:46 -0000

Well I tried something similar to your
ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
ipfw add 300 allow udp from 10.0.0.2 to 10.0.0.1 2049,111,1022 setup=20
keep-state
(it differs from your line for the setup option).
It ddidn't worked at all.

Afterwards, following Cuck's advise, I had a go at modifying the ipfw firew=
all=20
in the nfs client 10.0.0.2 (no firewall for the time being on the nfs serve=
r=20
10.0.0.1) and added towards the end of the list, immediatedly before the ve=
ry=20
laste line denying everything else

50000 allow ip from 10.0.0.1 to 10.0.0.2
51000 allow ip from 10.0.0.2 to 10.0.0.1
65535 deny ip from any to any=20

It seemed to works.... partially! I mean that I could mount_nfs the share i=
n=20
the client, surfing the directories, reading and writing files in the share=
,=20
BUT ... out of the blue, after some minutes the client freezed and I had to=
=20
reboot :-( brutally turning off and on the box.

Help please
Vittorio

Alle 05:25, gioved=EC 23 novembre 2006, Ian Smith ha scritto:
> vittorio <vdemiart1@tin.it> wrote:
>  > I have two FreeBSD 6.1 boxes one of which (IP 10.0.0.1) is an NFS serv=
er
>  > and the other one (IP 10.0.0.2) is, among other things, an NFS client
>  > sharing directories with the NFS server.
>  > It all works correctly and I can mount_nfs all the directories from the
>  > server.
>  > BUT, I'm now trying to use an IPFW firewall both on the server and on
>  > the client. My simple aim is to setup connections between the 10.0.0.1
>  > server and the 10.0.0.2 client ** only **; no connections should be
>  > possible with other clients!
>  > Now I've tried the poor documentation I could find googling with the
>  > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share =
on
>  > te client because something goes wrong with RPC.
>  > Concentrating on the client side (no ipfw for the moment on teh server)
>  > I tried the following
>  >
>  > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to 10.0.0.2 via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 10.0.0.1 to 10.0.0.2  2049,111,1022 via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to me via fxp0 setup
>  > keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 10.0.0.1 to me  2049,111,1022 via fxp0 setup
>  > keep-state
>  >
>  > If I disable the firewall it all goes smootly.
>
> Firstly, what Chuck and Bill said .. but some further points ..
>
> Secondly, you don't specify port numbers with 'allow ip', which covers
> tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
> course you're using NFS over TCP as well, where you'd need 'allow tcp'.
> Note also that 'setup' only applies to TCP connections.
>
> Thirdly, if you do want to use stateful rules on the client, you'll do
> better doing them on your _outbound_ connections, something like:
>
>   ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-sta=
te
>
> If it were me I'd concentrate on the server side firewall rules (and
> /etc/exports allowed hosts) both for allowing desired and disallowing
> undesired connections, so not having to worry much about what client/s
> may or may not be doing.
>
> 'man ipfw' is actually pretty good documentation, though there is a fair
> bit to absorb there.  I still read it before bedtime now and again :)
>
> Ciao, Ian