Re: Firewalling NFS

Fri, 15 Jun 2007 17:27:57 -0700 

Hello,
If anyone is interested i've got nfs going with a pf firewall on 6.2. I use a block by default policy and the client is a linux client, running it's iptables firewall, but it does work. I'm not sure about ipfw it's rule syntax but pf and i think ipf this should do it. The trick is udp and tcp 111, tcp 2049, and tcp 986 udp 669 those last two are so that mountd can be contacted. On the nfs server i have this in rc.conf: 

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.1.44" # i use jails on this box
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4 -h 192.168.1.44" # jails on this system
mountd_flags="-r"

and in my pf.conf file i have:

pass in quick on $ext_if inet proto { tcp, udp } from <client-ip> to $ext_if 
port 111 flags S/SA keep state
pass in quick on $ext_if inet proto tcp from <client-ip> to $ext_if port 
2049 flags S/SA keep state
pass in quick on $ext_if inet proto tcp from <client-ip> to $ext_if port 986 
flags S/SA keep state
pass in quick on $ext_if inet proto udp from <client-ip> to $ext_if port 669 
keep state



The only thing i'm not sure of is whether any of the ports will change if 
the box is rebooted, i've restarted the services several times and they hold 
the same ports.

Hth
Dave.


----- Original Message ----- 
From: "Bruce M. Simpson" <[EMAIL PROTECTED]>

To: "Eygene Ryabinkin" <[EMAIL PROTECTED]>
Cc: <freebsd-net@FreeBSD.org>; "Jeremie Le Hen" <[EMAIL PROTECTED]>
Sent: Friday, June 15, 2007 1:47 PM
Subject: Re: Firewalling NFS



Eygene Ryabinkin wrote:

NFSD binds to the port nfsd (2049) and for my -CURRENT both lockd
and statd have '-p' options:
-----
$ man rpc.lockd rpc.statd | grep -- -p
     rpc.lockd [-d debug_level] [-g grace period] [-p port]

     -p      The -p option allow to force the daemon to bind to the 
specified

     rpc.statd [-d] [-p port]

     -p      The -p option allow to force the daemon to bind to the 
specified

-----
Are we talking about same entities?




I added the -p switch to mountd(8) a few years ago, as I needed to run a 
read-only NFS server exposed to the outside world; to firewall it I needed 
a deterministic RPC port number, which is what -p gives you. Otherwise you 
have to rely on the TCP wrapper support built into rpcbind(8). The 
rpc.lockd and rpc.statd daemons were recently changed to incorporate this 
switch too, although I don't think it has been backported to the 6-STABLE 
branch yet.


Regards,
BMS

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net

To unsubscribe, send any mail to "[EMAIL PROTECTED]" 


_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to