Re: IPFILTER and NFS

From: Matt Juszczak (matt_at_atopia.net)
Date: 04/03/05

  • Next message: Gert Cuykens: "Re: 1001:1001::0:0" 
    Date: Sun, 03 Apr 2005 14:06:24 -0400
To: Erik Nørgaard <norgaard@locolomo.org>

    Problem is that I need to firewall the client.

    I dont have access to the nfs server... only the client. Your
    configuration info showed me making changes on the server. is there a
    way to make the client work ok?

    -Matt

    Erik Nørgaard wrote:

    > Matt Juszczak wrote:
    >
    >> Howdy,
    >>
    >> Trying to get IPFILTER and NFS working. A google search didn't show
    >> much about my specific issue. With ipfilter working, nfs initially
    >> works, until someone tries to login. Then it stops working. With my
    >> firewall down on the NFS-CLIENT machine, it works fine. Any ideas?
    >>
    >> It appears to be an issue with random ports....
    >
    >
    > It is, NFS is an RPC service where the RPC deamon is requested to for
    > info on which port mountd binds to. I wrote an howto for diskless
    > clients, www.daemonsecurity.com/pxe/ - here's what to do:
    >
    > Enable nfs in /etc/rc.conf:
    >
    > rpcbind_enable="YES" # Run the portmapper service (YES/NO).
    > nfs_server_enable="YES" # This host is an NFS server (or NO).
    > mountd_enable="YES" # Run mountd (or NO).
    > mountd_flags="-r -p 59" # Force mountd to bind on port 59
    >
    > As a minimum you need to enable rpcbind, nfsserver and mountd. lockd
    > and statd provides file locking and status monitoring. By default,
    > when mountd starts it binds to some arbitrary port, and rpc is used to
    > discover which, making it imposible to firewall. With option '-p'
    > mountd can be forced to bind to a specific port. Port 59 is assigned
    > to "any private file service" (see /etc/services).
    >
    > This limits the number of ports relevant to 59, 111 and 2049. You
    > can't force lockd and statd to bind to specific ports (they are alos
    > RPC services) and AFAIK you can't have disk quotas work correctly
    > because of this.
    >
    > AFAIK NFS4 should address these problems, but the NFS4 server is still
    > experimental.
    >
    > Till then, RPC is a security nightmare.
    >
    > Erik

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Gert Cuykens: "Re: 1001:1001::0:0"

    Relevant Pages

    • Re: NFS problem, server = VMS-TCPIP, client = Solaris. Mount, hang...
      ... > from CSC was to use UDP instead of TCP for NFS communications (my ... > raise default RPC values: ... It's tough to believe that there's anything wrong with the client. ... (Well, with the client's NFS implementation, anyway.) ...
      (comp.os.vms)
    • V210 BGE0@1000FDX
      ... When connecting a server to a Gig interface you need to enable autoneg ... Blocked port after process kill ... NFS oddity ... where hostname is the name of the NFS client which will automount the ...
      (SunManagers)
    • Re: RPC and IPSec
      ... This is an rpc error. ... should be the one telling the client which rpc port to use. ... machine is provided this info on the initial connection off of port 135. ... I have implementet IPSec on my DC's. ...
      (microsoft.public.windows.server.active_directory)
    • Re: IPFILTER and NFS
      ... > Trying to get IPFILTER and NFS working. ... NFS is an RPC service where the RPC deamon is requested to for ... info on which port mountd binds to. ...
      (freebsd-questions)
    • Re: Firewalling NFS
      ... If anyone is interested i've got nfs going with a pf firewall on 6.2. ... I use a block by default policy and the client is a linux client, running it's iptables firewall, but it does work. ... pass in quick on $ext_if inet proto tcp from to $ext_if port 2049 flags S/SA keep state ...
      (freebsd-net)