Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Apr 2003 20:08:11 -0500 (CDT)
From:      Robert Johannes <rjohanne@piper.hamline.edu>
To:        freebsd-ipfw@freebsd.org
Subject:   nfs and ipfw
Message-ID:  <Pine.GSO.4.44.0304271329390.2317-100000@mendeleev.hamline.edu>
In-Reply-To: <200304271259.02025.ajacoutot@lphp.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I recently built a 4.8-stable system, with firewalling.  It is not a
gateway/router, just an nfs and samba server, but I built in the firewall
so I can prohibit potential traffic from the router/gateway in case
it was broken into.

I'm using normal ipfw, with the following rules:

allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
allow tcp from any to any established
allow ip from any to any frag
allow tcp from any to any setup
allow ip from $nfsclient to $fileserver keep-state
allow ip from xx.xx.xx.1 to $fileserver keep-state
deny ip from any to any


The router/gateway is at xx.xx.xx.254.  I'm able to mount the filesystems
from the $fileserver, but I'm not able to write a substantial amount of
data to the filesystems; I can create a file by 'touching' one on the nfs
filesyste, but I can't copy a big file onto the filesystem.  I have
successfully copied a file as big as the /etc/hosts files (a few bytes).
>From watching tcpdump, it seems that any time there's significant i/o on
the nfs filesystem, the fileserver stops responding, and I note the
following lines repeated perhaps a hundred or more times:

15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560)
15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+)
15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+)
15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+)
15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+)
15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+)
15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+)
15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+)
15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+)

At this point I get an "nfs: server $nfsserver not responding, timed out"
message logged on the nfsclient.

I'm pretty sure it has to do with my ipfw configuration, but I can't
pinpoint the problem.  Any ideas?

robert



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0304271329390.2317-100000>