From owner-freebsd-hackers Fri Jun 9 6:39:10 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from mxbh4.isus.emc.com (mxbh4.isus.emc.com [168.159.208.52]) by hub.freebsd.org (Postfix) with ESMTP id 20EC037C3B6 for ; Fri, 9 Jun 2000 06:38:53 -0700 (PDT) (envelope-from Neff_Glen@emc.com) Received: by mxbh4.isus.emc.com with Internet Mail Service (5.5.2448.0) id ; Fri, 9 Jun 2000 09:38:49 -0400 Message-ID: <0DD20620B8B8D311985F00D0B708153B69C058@corpmx6.isus.emc.com> From: Neff_Glen@emc.com To: hackers@freebsd.org Subject: Problem mouting NFS exports from multi-homed servers Date: Fri, 9 Jun 2000 09:38:22 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am looking to implement FreeBSD as a router/natd platform for five private 10.x.x.x/24 subnets to connect to the public world via a sixth NIC. Our immeadiate public address space is a protected network, so I am not concerned with any firewalling features. The one problem standing in the way of my being able to implement this solution is a very specific problem with mounting NFS exports from multi-homed servers on our network. We have this problem both from the FreeBSD box itself and from the "NAT'ed" clients on the 10.x.x.x networks it serves. The FreeBSD box is question has the hostname "snowspeeder" and its primary IP address is 128.222.25.177/24. It's 'uname -a' output is: FreeBSD snowspeeder.rtp.dg.com 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Tue May 30 15:59:31 EDT 2000 gneff@snowspeeder.rtp.dg.com:/usr/src/sys/compile/router i386 There are several servers that exploit this problem, but I will provide one practical example. The server's primary hostname is "commtg3" and it runs DG/UX R4.20MU05. It's specific hostname and address info is as follows: commtg3 128.222.8.29/24 commtg3-thiin 128.222.25.1/24 Note that the "commtg3-thiin" interface is on the same segment as the FreeBSD box (snowspeeder). This server is known to users as "commtg3." When they issue any command to access it, they use its common name. Say I try to mount an NFS export on commtg3 that I do not have rights to: root@snowspeeder-/root$ mount commtg3:/usr/opt/sdk test nfs: can't access /usr/opt/sdk: Permission denied Just as we should expect. Now let's say we try to mount an export that does not exist: root@snowspeeder-/root$ mount commtg3:/usr/ack/bleh test1 nfs: can't access /usr/ack/bleh: No such file or directory Again, just like we should expect. Now with an export that both exists and that we have rights to: root@snowspeeder-/root$ mount commtg3:/usr/local test2 (roughly three minute pause) nfs server commtg3:/usr/local: not responding Now let's try the same NFS export, only specify the hostname for the interface on the same segment: root@snowspeeder-/root$ mount commtg3-thiin:/usr/local test3 root@snowspeeder-/root$ mount /dev/wd0s3a on / (ufs, local, writes: sync 95 async 3300) /dev/wd0s3f on /usr (ufs, local, writes: sync 41 async 8214) /dev/wd0s3e on /var (ufs, local, writes: sync 540 async 5797) procfs on /proc (procfs, local) commtg3-thiin:/usr/local on /root/test3 (nfs) And as you can see, that works just fine. Now we've put a sniffer on the 128.222.25.0/24 segment and what it looks like is happening is that the requests destined to the 128.222.8.29 address go out fine on the router and are received by commtg3 just fine on that segment, but that when commtg3 answers it looks at the source IP (128.222.25.177) then it replies back on its 128.222.25.1 interface (For which I can't blame it), but then snowspeeder rejects the response packets because they do not come back with the same source address as the origional destination address of the request. What I really don't undestand is how or why we get errors for such things as "permission denied" or "no such file dor directory," yet we can't complete a proper mount request. What I believe I need to do is figure out to make FreeBSD not be so picky about where the response to mount requests are coming from. I am running the bare minumum ipfw configuration that "man natd" says is neccessary for NAT: gneff@snowspeeder-/usr/home/gneff$ cat /etc/rc.firewall /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via sf0 /sbin/ipfw add pass all from any to any My rc.network file is unchanged from the v3.4-release distribution. Thank you in advance for any assistance you can offer. In the hopes that it may be helpful, I will paste my kernel configuration and my rc.conf files below. Regards, Glen ----- machine "i386" cpu "I686_CPU" ident GENERIC maxusers 32 options NMBCLUSTERS=2048 options IPFIREWALL options IPDIVERT options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options MFS #Memory Filesystem options NFS #Network Filesystem options "CD9660" #ISO 9660 Filesystem options PROCFS #Process filesystem options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=15000 #Be pessimistic about Joe SCSI device options UCONSOLE #Allow users to grab the console options FAILSAFE #Be conservative options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) syscall trace support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores config kernel root on wd0 controller isa0 controller pci0 controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 disk fd0 at fdc0 drive 0 controller wdc0 at isa? port "IO_WD1" bio irq 14 disk wd0 at wdc0 drive 0 controller wdc1 at isa? port "IO_WD2" bio irq 15 disk wd2 at wdc1 drive 0 options ATAPI #Enable ATAPI support for IDE bus options ATAPI_STATIC #Don't do it as an LKM device acd0 #IDE CD-ROM controller scbus0 # SCSI bus (required) controller atkbdc0 at isa? port IO_KBD tty device atkbd0 at isa? tty irq 1 device vga0 at isa? port ? conflicts pseudo-device splash device sc0 at isa? tty device npx0 at isa? port IO_NPX irq 13 device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4 device sio1 at isa? port "IO_COM2" tty irq 3 device ppc0 at isa? port? flags 0x40 net irq 7 controller ppbus0 # Parallel port bus (required) device lpt0 at ppbus? # Printer device ppi0 at ppbus? # Parallel port interface device device sf0 # Adaptec AIC-6915 DuraLAN (``Starfire'') pseudo-device loop # Network loopback pseudo-device ether # Ethernet support pseudo-device tun 1 # Packet tunnel pseudo-device pty 16 # Pseudo-ttys (telnet etc) pseudo-device gzip # Exec gzipped a.out's pseudo-device bpfilter 8 #Berkeley packet filter ----- saver="daemon" blanktime="180" keyrate="fast" network_interfaces="sf5 sf4 sf3 sf2 sf1 sf0 lo0" ifconfig_sf5="inet 10.5.200.1 netmask 255.255.255.0" ifconfig_sf4="inet 10.4.200.1 netmask 255.255.255.0" ifconfig_sf3="inet 10.3.200.1 netmask 255.255.255.0" ifconfig_sf2="inet 10.2.200.1 netmask 255.255.255.0" ifconfig_sf1="inet 10.1.200.1 netmask 255.255.255.0" ifconfig_sf0="inet 128.222.25.177 netmask 255.255.255.0" defaultrouter="128.222.25.253" gateway_enable="YES" firewall_enable="YES" natd_enable="YES" natd_flags="-s -m" natd_interface="128.222.25.177" defaultrouter="128.222.25.253" hostname="snowspeeder.rtp.dg.com" /* Glen R. J. Neff neff_glen@emc.com 919-248-6145 Dirty deeds done for a meager 20% markup. . . */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message