From owner-freebsd-questions@FreeBSD.ORG Wed Nov 30 03:22:48 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3913A16A42F for ; Wed, 30 Nov 2005 03:22:48 +0000 (GMT) (envelope-from ml@proficuous.com) Received: from mail.proficuous.com (www.proficuous.com [209.240.79.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BAC943D5D for ; Wed, 30 Nov 2005 03:22:36 +0000 (GMT) (envelope-from ml@proficuous.com) Received: from webmail.proficuous.com (workhorse.proficuous.com [127.0.0.1]) by mail.proficuous.com (Postfix) with SMTP id 95A8AA89455; Tue, 29 Nov 2005 21:22:28 -0600 (CST) Received: from 192.168.3.69 (SquirrelMail authenticated user ml@proficuous.com) by webmail.proficuous.com with HTTP; Tue, 29 Nov 2005 21:22:28 -0600 (CST) Message-ID: <63871.192.168.3.69.1133320948.squirrel@webmail.proficuous.com> In-Reply-To: <438D1894.90500@mac.com> References: <60336.192.168.3.69.1133319528.squirrel@webmail.proficuous.com> <438D1894.90500@mac.com> Date: Tue, 29 Nov 2005 21:22:28 -0600 (CST) From: "Aaron P. Martinez" To: "Chuck Swiger" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Cc: "Aaron P. Martinez" , freebsd-questions@freebsd.org Subject: Re: pf blocking nfs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 03:22:48 -0000 > Aaron P. Martinez wrote: >> I am running FreeBSD 6.0-release and setting up a very basic firewall >> using pf on my workstation. The ruleset is as follows: >> >> block in log all >> pass quick on lo0 all >> #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state >> pass out on fxp0 proto { tcp, udp, icmp } all keep state > > Your firewall config is not enough to permit NFS to pass. You might > consider adding a "pass all" rule for machines on the local subnet. > > [ Perhaps you should re-evaluate your network so that you do not attempt > to pass NFS through the firewall. If you have to do filesharing between > machines over an untrusted connection, should should consider a VPN or > SSH tunnel approach instead. ] > > -- > -Chuck Actually my network looks like this: INT---firewall------internal router/firewall---------good lan | | | |---------insecure lan (windoze machines) | |----DMZ the good lan is the only one that does nfs, so the nfs doesn't actually pass through the firewall, just connects to the internal router/firewall. I am simply trying to avoid a worst case scenario (internal router gets compromised) so trying to allow ONLY return packets. Is this unfeasable? Can you suggest a rule instead of: pass out on fxp0 proto { tcp, udp, icmp } all keep state or in addition to that would still keep me very secure and at the same time allow me to use nfs as i'm trying? thanks for the quick reply, Aaron Martinez