Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)
Garrett Cooper : Hello, Just wondering if anyone has IPFilter / nfsd setup properly on their boxes with any beta versions of FBSD. I am having loads of issues transferring large files (~300MB apiece) or issues transferring a large number of smaller files (3MB ~ 10MB apiece) from a FBSD 6.1 client to a FBSD 6.1 server, where it transfers part of the files, then cp / mv get stuck indefinitely on the client system. The stuck cp / mv processes cause the client to hang on reboot, and then terminate before all of the buffers are written to disk (which forces fsck on next boot). Did you try to use tcp transport with NFS ? See the '-T' option of mount_nfs(8). See also the -i option (Make the mount interruptible). Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Improvement to IPFilter / nfsd in FBSD (6.2+?)
Just wondering if anyone has IPFilter / nfsd setup properly on their boxes with any beta versions of FBSD. I am having loads of issues transferring large files (~300MB apiece) or issues transferring a large number of smaller files (3MB ~ 10MB apiece) from a FBSD 6.1 client to a FBSD 6.1 server, where it transfers part of the files, then cp / mv get stuck indefinitely on the client system. The stuck cp / mv processes cause the client to hang on reboot, and then terminate before all of the buffers are written to disk (which forces fsck on next boot). Also if you suggest 7-CURRENT, what's the CVS tag for that version? -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)
On Jan 11, 2007, at 10:58 AM, Garrett Cooper wrote: Just wondering if anyone has IPFilter / nfsd setup properly on their boxes with any beta versions of FBSD. It is typically not useful to implement firewall rules between NFS servers and legitimate NFS clients. The large number of RPC services using randomly assigned ports needed by NFS and the fact that machines which trust each other enough to permit filesharing and generally utilize a common set of directory services to keep the user/group mappings synced mean that the NFS server clients should be considered in the same trust domain in most cases. Also if you suggest 7-CURRENT, what's the CVS tag for that version? The HEAD of the CVS tree (aka .). Updating the 7-CURRENT won't have any affect upon firewall configuration for NFS, however. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
Chuck Swiger wrote: On Jan 11, 2007, at 10:58 AM, Garrett Cooper wrote: Just wondering if anyone has IPFilter / nfsd setup properly on their boxes with any beta versions of FBSD. It is typically not useful to implement firewall rules between NFS servers and legitimate NFS clients. The large number of RPC services using randomly assigned ports needed by NFS and the fact that machines which trust each other enough to permit filesharing and generally utilize a common set of directory services to keep the user/group mappings synced mean that the NFS server clients should be considered in the same trust domain in most cases. Right, ok. I suppose I was just being lazy/trying to blanket support all machines on my subnet without having to delve into individual hosts, but that makes perfect sense. rpcbind (and RPC in general) strictly uses ports under 1023--assuming that there are enough allocatable ports available for each RPC service in the port range 1-1023--if running as root, does it not? Does the same rationale apply for Samba? That's part of the reason why I'm concerned with running a firewall.. I run smbd/nmbd on the server machine. Either that, or I could switch to another firewall setup (albeit it'd be sort of a pain). Does ipfw / pf work better with RPC than IPFilter? Also if you suggest 7-CURRENT, what's the CVS tag for that version? The HEAD of the CVS tree (aka .). Updating the 7-CURRENT won't have any affect upon firewall configuration for NFS, however. Right. I was just going to see if there was any improvement in how things were implemented in 7-CURRENT, because maybe the issues that I'm encountering had been 'solved' in 7-CURRENT (although I would probably have more issues with core kernel items as they're under heavy development it appears given traffic on the current@ list). Thanks Chuck! -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
On Jan 11, 2007, at 12:54 PM, Garrett Cooper wrote: It is typically not useful to implement firewall rules between NFS servers and legitimate NFS clients. The large number of RPC services using randomly assigned ports needed by NFS and the fact that machines which trust each other enough to permit filesharing and generally utilize a common set of directory services to keep the user/group mappings synced mean that the NFS server clients should be considered in the same trust domain in most cases. Right, ok. I suppose I was just being lazy/trying to blanket support all machines on my subnet without having to delve into individual hosts, but that makes perfect sense. rpcbind (and RPC in general) strictly uses ports under 1023--assuming that there are enough allocatable ports available for each RPC service in the port range 1-1023--if running as root, does it not? Actually, no. While rpcbind/portmap/portmapper is assigned to 111/ tcp udp, most other RPC services get assigned high port numbers in the 327xx range, but that varies considerably from platform to platform. Does the same rationale apply for Samba? That's part of the reason why I'm concerned with running a firewall.. I run smbd/nmbd on the server machine. Somewhat, yes. Samba/CIFS filesharing can require less trust between server and client as accessing a Samba share does not require superuser permissions, just limited user access, but Samba does require root access to start up and bind to the low ports it uses, and it also involves the network browse master (which nmbd can do) and so forth which involve subnet-oriented broadcast traffic. Samba/CIFS is a chatty protocol. Either that, or I could switch to another firewall setup (albeit it'd be sort of a pain). Does ipfw / pf work better with RPC than IPFilter? No, not really. What you probably want to focus on is protecting your entire subnet, including the fileserver and clients, from malicious traffic via your Internet link(s), and then worry about egress filtering, dividing your machines into a trusted internal LAN and a semi-trusted DMZ, and so forth. A firewall system should not be running any kind of filesharing; while you can run PF, IPFW, etc on your fileserver, that ought to be a secondary line of protection for defense in depth, and your Internet connection ought to have a dual-homed or multihomed firewall machine which is dedicated to that role and which runs zero services. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck Swiger wrote: Actually, no. While rpcbind/portmap/portmapper is assigned to 111/tcp udp, most other RPC services get assigned high port numbers in the 327xx range, but that varies considerably from platform to platform. True. NFS is port 2049 by default, anyhow.. Somewhat, yes. Samba/CIFS filesharing can require less trust between server and client as accessing a Samba share does not require superuser permissions, just limited user access, but Samba does require root access to start up and bind to the low ports it uses, and it also involves the network browse master (which nmbd can do) and so forth which involve subnet-oriented broadcast traffic. Samba/CIFS is a chatty protocol. No kidding. The funny thing is that smbclient (Xbox Media Center runs smbclient) I've learned requires more open ports than regular CIFS enabled Windows XP hosts to RPC services, which has caused more issues than it's worth in the past. No, not really. What you probably want to focus on is protecting your entire subnet, including the fileserver and clients, from malicious traffic via your Internet link(s), and then worry about egress filtering, dividing your machines into a trusted internal LAN and a semi-trusted DMZ, and so forth. A firewall system should not be running any kind of filesharing; while you can run PF, IPFW, etc on your fileserver, that ought to be a secondary line of protection for defense in depth, and your Internet connection ought to have a dual-homed or multihomed firewall machine which is dedicated to that role and which runs zero services. Right. However, I don't trust the rest of the clients on my subnet other than the ones I maintain, so that's why I have setup the firewall rules I have. Sorry for not more clearly defining the situation earlier, but here's the reasoning / rationale for what I'm doing.. IT nightmare - -I live in a house with a shared LAN with a total of around 50 hosts connected / disconnected at various times of the day. - -I don't trust any of the Windows clients devoid a small handful because I have had a variety of connectivity problems caused by improperly managed personal machines, virii, and spyware on machines here. - -There isn't a real means of properly controlling IP distribution and people are free to change their IP addresses to whatever they choose (host information is set statically, not dynamically). - -I have 5 machines which have access to the network--2 serving machines and 3 clients which aren't always attached to the network. I have set the IP addresses up so they all lie in a range, but I don't trust whether someone will IP squat my address and do whatever they want to my serving machines (whether they mean to or it happens by accident). - -Some of the machines on the network have access to the machine serving via Samba, but that's a limited number. /IT nightmare - -Garrett -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFprE4EnKyINQw/HARAjwyAKCY9F8O2rkdet2/gxNNqCQXij0xgwCfSF3/ tswDC5ovt0A5r3Tg7s7BSqE= =iVhr -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
On Jan 11, 2007, at 1:50 PM, Garrett Cooper wrote: Actually, no. While rpcbind/portmap/portmapper is assigned to 111/ tcp udp, most other RPC services get assigned high port numbers in the 327xx range, but that varies considerably from platform to platform. True. NFS is port 2049 by default, anyhow.. Good example, yet this is true on some platforms but not on others. A firewall system should not be running any kind of filesharing; while you can run PF, IPFW, etc on your fileserver, that ought to be a secondary line of protection for defense in depth, and your Internet connection ought to have a dual-homed or multihomed firewall machine which is dedicated to that role and which runs zero services. Right. However, I don't trust the rest of the clients on my subnet other than the ones I maintain, so that's why I have setup the firewall rules I have. You really don't want to mix machines which are trusted with machines which are not trusted on the same subnet. If you can't control which client machines get which IPs, you pretty much cannot use firewall rules to restrict filesharing only to the legit clients. Sorry for not more clearly defining the situation earlier, but here's the reasoning / rationale for what I'm doing.. IT nightmare - -I live in a house with a shared LAN with a total of around 50 hosts connected / disconnected at various times of the day. - -I don't trust any of the Windows clients devoid a small handful because I have had a variety of connectivity problems caused by improperly managed personal machines, virii, and spyware on machines here. - -There isn't a real means of properly controlling IP distribution and people are free to change their IP addresses to whatever they choose (host information is set statically, not dynamically). - -I have 5 machines which have access to the network--2 serving machines and 3 clients which aren't always attached to the network. I have set the IP addresses up so they all lie in a range, but I don't trust whether someone will IP squat my address and do whatever they want to my serving machines (whether they mean to or it happens by accident). - -Some of the machines on the network have access to the machine serving via Samba, but that's a limited number. Perhaps you should consider setting up your own private subnet for your machines, and having a firewall guarding access to your machines which performs static NAT for the set of five IP addresses you've made claim to. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck Swiger wrote: snip You really don't want to mix machines which are trusted with machines which are not trusted on the same subnet. If you can't control which client machines get which IPs, you pretty much cannot use firewall rules to restrict filesharing only to the legit clients. Excellent point. snip Perhaps you should consider setting up your own private subnet for your machines, and having a firewall guarding access to your machines which performs static NAT for the set of five IP addresses you've made claim to. I'm really starting to think that'd be a good idea. Thanks again for the comments--it really helps. - -Garrett -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFprRBEnKyINQw/HARAo8cAJ4sHIowqgCRbFMv6JDufsowxEDGGACePLKj NqyrOFDj6gbTQscMws0q6zg= =mDqk -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
