Date: Thu, 23 Nov 2006 19:55:19 +0000 From: vittorio <vdemart1@tin.it> To: freebsd-questions@freebsd.org Subject: Re: IPFW & NFS Message-ID: <200611231955.20223.vdemart1@tin.it> In-Reply-To: <Pine.BSF.3.96.1061123153915.5597A-100000@gaia.nimnet.asn.au> References: <Pine.BSF.3.96.1061123153915.5597A-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Well I tried something similar to your
ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
ipfw add 300 allow udp from 10.0.0.2 to 10.0.0.1 2049,111,1022 setup=20
keep-state
(it differs from your line for the setup option).
It ddidn't worked at all.
Afterwards, following Cuck's advise, I had a go at modifying the ipfw firew=
all=20
in the nfs client 10.0.0.2 (no firewall for the time being on the nfs serve=
r=20
10.0.0.1) and added towards the end of the list, immediatedly before the ve=
ry=20
laste line denying everything else
50000 allow ip from 10.0.0.1 to 10.0.0.2
51000 allow ip from 10.0.0.2 to 10.0.0.1
65535 deny ip from any to any=20
It seemed to works.... partially! I mean that I could mount_nfs the share i=
n=20
the client, surfing the directories, reading and writing files in the share=
,=20
BUT ... out of the blue, after some minutes the client freezed and I had to=
=20
reboot :-( brutally turning off and on the box.
Help please
Vittorio
Alle 05:25, gioved=EC 23 novembre 2006, Ian Smith ha scritto:
> vittorio <vdemiart1@tin.it> wrote:
> > I have two FreeBSD 6.1 boxes one of which (IP 10.0.0.1) is an NFS serv=
er
> > and the other one (IP 10.0.0.2) is, among other things, an NFS client
> > sharing directories with the NFS server.
> > It all works correctly and I can mount_nfs all the directories from the
> > server.
> > BUT, I'm now trying to use an IPFW firewall both on the server and on
> > the client. My simple aim is to setup connections between the 10.0.0.1
> > server and the 10.0.0.2 client ** only **; no connections should be
> > possible with other clients!
> > Now I've tried the poor documentation I could find googling with the
> > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share =
on
> > te client because something goes wrong with RPC.
> > Concentrating on the client side (no ipfw for the moment on teh server)
> > I tried the following
> >
> > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to 10.0.0.2 via fxp0
> > setup keep-state
> >
> > OR
> > ipfw add 300 allow ip from 10.0.0.1 to 10.0.0.2 2049,111,1022 via fxp0
> > setup keep-state
> >
> > OR
> > ipfw add 300 allow ip from 10.0.0.1 2049,111,1022 to me via fxp0 setup
> > keep-state
> >
> > OR
> > ipfw add 300 allow ip from 10.0.0.1 to me 2049,111,1022 via fxp0 setup
> > keep-state
> >
> > If I disable the firewall it all goes smootly.
>
> Firstly, what Chuck and Bill said .. but some further points ..
>
> Secondly, you don't specify port numbers with 'allow ip', which covers
> tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
> course you're using NFS over TCP as well, where you'd need 'allow tcp'.
> Note also that 'setup' only applies to TCP connections.
>
> Thirdly, if you do want to use stateful rules on the client, you'll do
> better doing them on your _outbound_ connections, something like:
>
> ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-sta=
te
>
> If it were me I'd concentrate on the server side firewall rules (and
> /etc/exports allowed hosts) both for allowing desired and disallowing
> undesired connections, so not having to worry much about what client/s
> may or may not be doing.
>
> 'man ipfw' is actually pretty good documentation, though there is a fair
> bit to absorb there. I still read it before bedtime now and again :)
>
> Ciao, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611231955.20223.vdemart1>