Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Apr 2003 20:08:11 -0500 (CDT)
From:      Robert Johannes <>
Subject:   nfs and ipfw
Message-ID:  <>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I recently built a 4.8-stable system, with firewalling.  It is not a
gateway/router, just an nfs and samba server, but I built in the firewall
so I can prohibit potential traffic from the router/gateway in case
it was broken into.

I'm using normal ipfw, with the following rules:

allow ip from any to any via lo0
deny ip from any to
deny ip from to any
allow tcp from any to any established
allow ip from any to any frag
allow tcp from any to any setup
allow ip from $nfsclient to $fileserver keep-state
allow ip from xx.xx.xx.1 to $fileserver keep-state
deny ip from any to any

The router/gateway is at xx.xx.xx.254.  I'm able to mount the filesystems
from the $fileserver, but I'm not able to write a substantial amount of
data to the filesystems; I can create a file by 'touching' one on the nfs
filesyste, but I can't copy a big file onto the filesystem.  I have
successfully copied a file as big as the /etc/hosts files (a few bytes).
>From watching tcpdump, it seems that any time there's significant i/o on
the nfs filesystem, the fileserver stops responding, and I note the
following lines repeated perhaps a hundred or more times:

15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560)
15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+)
15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+)
15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+)
15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+)
15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+)
15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+)
15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+)
15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+)

At this point I get an "nfs: server $nfsserver not responding, timed out"
message logged on the nfsclient.

I'm pretty sure it has to do with my ipfw configuration, but I can't
pinpoint the problem.  Any ideas?


Want to link to this message? Use this URL: <>