IPFW / NFSD
Hello,
I am currently running 1 HTTP server on FreeBSD 6.0
Offcourse, like anyone that likes security, i am running IPFW and set
the kernel to block by default.
Behind that HTTP server i am running 2 Linux boxes.
The problem is that when i enable the firewall and openup ports from
rpcinfo -p:
program vers proto port service
104 tcp111 rpcbind
103 tcp111 rpcbind
102 tcp111 rpcbind
104 udp111 rpcbind
103 udp111 rpcbind
102 udp111 rpcbind
104 local111 rpcbind
103 local111 rpcbind
102 local111 rpcbind
151 udp668 mountd
153 udp668 mountd
151 tcp984 mountd
153 tcp984 mountd
132 udp 2049 nfs
133 udp 2049 nfs
132 tcp 2049 nfs
133 tcp 2049 nfs
I opened up all these ports but i cant do an ls or write to nfs or whatever.
Then i thought maybe it's trying something local so i added:
$cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state
Even this does not work.
Tcpdump shows me that when i have ipfw open, it only communicates with
port 2049 and i don't see anything more.
Can anybody help me out here?
Additional info:
{ [EMAIL PROTECTED] } uname -a
FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4
15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386
Mark.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW / NFSD
Post complete content of your rules file for review by people here
on list.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mark Frasa
Sent: Wednesday, January 25, 2006 4:04 AM
To: freebsd-questions@freebsd.org
Subject: IPFW / NFSD
Hello,
I am currently running 1 HTTP server on FreeBSD 6.0
Offcourse, like anyone that likes security, i am running IPFW and
set
the kernel to block by default.
Behind that HTTP server i am running 2 Linux boxes.
The problem is that when i enable the firewall and openup ports from
rpcinfo -p:
program vers proto port service
104 tcp111 rpcbind
103 tcp111 rpcbind
102 tcp111 rpcbind
104 udp111 rpcbind
103 udp111 rpcbind
102 udp111 rpcbind
104 local111 rpcbind
103 local111 rpcbind
102 local111 rpcbind
151 udp668 mountd
153 udp668 mountd
151 tcp984 mountd
153 tcp984 mountd
132 udp 2049 nfs
133 udp 2049 nfs
132 tcp 2049 nfs
133 tcp 2049 nfs
I opened up all these ports but i cant do an ls or write to nfs or
whatever.
Then i thought maybe it's trying something local so i added:
$cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state
Even this does not work.
Tcpdump shows me that when i have ipfw open, it only communicates
with
port 2049 and i don't see anything more.
Can anybody help me out here?
Additional info:
{ [EMAIL PROTECTED] } uname -a
FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4
15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386
Mark.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW / NFSD
fbsd_user schreef:
Post complete content of your rules file for review by people here
on list.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mark Frasa
Sent: Wednesday, January 25, 2006 4:04 AM
To: freebsd-questions@freebsd.org
Subject: IPFW / NFSD
Hello,
I am currently running 1 HTTP server on FreeBSD 6.0
Offcourse, like anyone that likes security, i am running IPFW and
set
the kernel to block by default.
Behind that HTTP server i am running 2 Linux boxes.
The problem is that when i enable the firewall and openup ports from
rpcinfo -p:
program vers proto port service
104 tcp111 rpcbind
103 tcp111 rpcbind
102 tcp111 rpcbind
104 udp111 rpcbind
103 udp111 rpcbind
102 udp111 rpcbind
104 local111 rpcbind
103 local111 rpcbind
102 local111 rpcbind
151 udp668 mountd
153 udp668 mountd
151 tcp984 mountd
153 tcp984 mountd
132 udp 2049 nfs
133 udp 2049 nfs
132 tcp 2049 nfs
133 tcp 2049 nfs
I opened up all these ports but i cant do an ls or write to nfs or
whatever.
Then i thought maybe it's trying something local so i added:
$cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state
Even this does not work.
Tcpdump shows me that when i have ipfw open, it only communicates
with
port 2049 and i don't see anything more.
Can anybody help me out here?
Additional info:
{ [EMAIL PROTECTED] } uname -a
FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4
15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386
Mark.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Here is the list:
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd=ipfw -q add
pif=vr0 # public interface name of NIC
# facing the public Internet
secure=ip2.of.this.box
arcas=ip.of.this.box
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state
$cmd 00100 allow ip from any to any out via $pif keep-state
$cmd 00200 allow tcp from any to $arcas 80 in via $pif
$cmd 00310 allow icmp from any to any in via $pif
# Allow in secure from selected ip's
$cmd 00410 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state
$cmd 00411 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state
# Allow in nfs requests on secured ip from own network only
$cmd 00425 allow ip from x.x.x.x/24 to $secure setup keep-state
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
Mark.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW / NFSD
Mark Frasa wrote: I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: [ ... ] I opened up all these ports but i cant do an ls or write to nfs or whatever. You should not be running portmap and NFS on a firewall machine. You should not attempt to pass NFS or other filesharing through a firewall, except perhaps by using VPN tunneling. If this existing machine needs to do NFS to your other Linux boxes, it should be placed behind a properly hardened firewall which perhaps uses NAT to forward HTTP connections inside to it. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW / NFSD
Chuck Swiger schreef: Mark Frasa wrote: I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: [ ... ] I opened up all these ports but i cant do an ls or write to nfs or whatever. You should not be running portmap and NFS on a firewall machine. You should not attempt to pass NFS or other filesharing through a firewall, except perhaps by using VPN tunneling. If this existing machine needs to do NFS to your other Linux boxes, it should be placed behind a properly hardened firewall which perhaps uses NAT to forward HTTP connections inside to it. Let me explain more into detail; I have: INTERNET FIREWALL/NFSD/HTTPD Machine LINUXBOXLINUXBOX The boxes are on a /24 network and the firewall has 2 ip's 1 for local and 1 for outside connections, but both in the same subnet. I want to use a $secure ip for nfsd and ssh connection, while using @arcas as an ip for port 80 connections What i don't get is when i openup the $secureip for the /24 network i still get timeouts when writing to nfsd. Mark. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
