Date: Mon, 04 Apr 2005 10:39:57 +0200 From: =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= <norgaard@locolomo.org> To: Matt Juszczak <matt@atopia.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPFILTER and NFS Message-ID: <4250FD5D.8070101@locolomo.org> In-Reply-To: <4250B71F.60309@atopia.net> References: <424F8B94.7050006@atopia.net> <424FCDD3.6040507@locolomo.org> <425030A0.4000809@atopia.net> <42503A76.20309@locolomo.org> <4250B71F.60309@atopia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Juszczak wrote: > ---snip--- > # Default pass out > pass out quick on em0 all keep state > > # Fragmented/Short/Opts/Fprinting packets > block in quick on em0 all with ipopts > block in quick on em0 all with frag > block in quick on em0 proto tcp all with short > block in quick on em0 proto tcp all flags FUP > > # Block local nets > block in quick on em0 from 255.255.255.255/32 to any > block in quick on em0 from 192.168.0.0/16 to any > block in quick on em0 from 172.16.0.0/12 to any > block in quick on em0 from 127.0.0.0/8 to any > block in quick on em0 from 10.0.0.0/8 to any > block in quick on em0 from 0.0.0.0/32 to any > ---snip--- You haven't told a word about your network setup or server's ip, and I don't know your default rules. Your ruleset is mostly useless without that info. Have you compiled with default block? If not, then your client is open to incoming connections from almost anywhere, and if you have, then your block rules have no use. NFS is udp - I think you can force tcp, but I think this requires changes on the server also. udp is state less, so state full filtering is somewhat a guess work. It works this way for say dns: Your host sends out a udp packet with a dns request, ip-filter knows dns and so expect udp packet back within usually a minute. Now, ip-filter may not now nfs that well, or the nfs protocol may just be wierd. Since you know your nfs server, you could do: pass in quick proto udp from <nfs server>/32 to <client>/32 For clarity, I suggest you write two blocks of rules, incoming and outgoing, with both tcp and udp protocols for that server. It makes it easier to see what is going on. Make sure you start your ruleset with your default rules explicit, block in log all block out log all and enable logging on _all_ block rules. Start ipmon to log to a separate file. Default rules should never match, if they do it is indication that there is something you have not taken care of. OK, this is not strictly true, but if they never match then it indicates you have written an explicit rule for each posible packet - ie. you have thought about everything. If you still have problems, submit your ipmon log file and your full tested ruleset. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4250FD5D.8070101>