Well I tried something similar to your
ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
ipfw add 300 allow udp from to 2049,111,1022 setup 
(it differs from your line for the setup option).
It ddidn't worked at all.

Afterwards, following Cuck's advise, I had a go at modifying the ipfw firewall 
in the nfs client (no firewall for the time being on the nfs server and added towards the end of the list, immediatedly before the very 
laste line denying everything else

50000 allow ip from to
51000 allow ip from to
65535 deny ip from any to any 

It seemed to works.... partially! I mean that I could mount_nfs the share in 
the client, surfing the directories, reading and writing files in the share, 
BUT ... out of the blue, after some minutes the client freezed and I had to 
reboot :-( brutally turning off and on the box.

Help please

Alle 05:25, giovedì 23 novembre 2006, Ian Smith ha scritto:
> vittorio <[EMAIL PROTECTED]> wrote:
>  > I have two FreeBSD 6.1 boxes one of which (IP is an NFS server
>  > and the other one (IP is, among other things, an NFS client
>  > sharing directories with the NFS server.
>  > It all works correctly and I can mount_nfs all the directories from the
>  > server.
>  > BUT, I'm now trying to use an IPFW firewall both on the server and on
>  > the client. My simple aim is to setup connections between the
>  > server and the client ** only **; no connections should be
>  > possible with other clients!
>  > Now I've tried the poor documentation I could find googling with the
>  > keywords "freebsd ipfw nfs" to no avail, I cannot mount_nfs any share on
>  > te client because something goes wrong with RPC.
>  > Concentrating on the client side (no ipfw for the moment on teh server)
>  > I tried the following
>  >
>  > ipfw add 300 allow ip from 2049,111,1022 to via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from to  2049,111,1022 via fxp0
>  > setup keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from 2049,111,1022 to me via fxp0 setup
>  > keep-state
>  >
>  > OR
>  > ipfw add 300 allow ip from to me  2049,111,1022 via fxp0 setup
>  > keep-state
>  >
>  > If I disable the firewall it all goes smootly.
> Firstly, what Chuck and Bill said .. but some further points ..
> Secondly, you don't specify port numbers with 'allow ip', which covers
> tcp, udp and raw ip packets also; you want 'allow udp' here, unless of
> course you're using NFS over TCP as well, where you'd need 'allow tcp'.
> Note also that 'setup' only applies to TCP connections.
> Thirdly, if you do want to use stateful rules on the client, you'll do
> better doing them on your _outbound_ connections, something like:
>   ipfw add xxx allow udp from ${client} to ${server} ${nfsports} keep-state
> If it were me I'd concentrate on the server side firewall rules (and
> /etc/exports allowed hosts) both for allowing desired and disallowing
> undesired connections, so not having to worry much about what client/s
> may or may not be doing.
> 'man ipfw' is actually pretty good documentation, though there is a fair
> bit to absorb there.  I still read it before bedtime now and again :)
> Ciao, Ian
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to