IPFW / NFSD
Hello, I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: program vers proto port service 104 tcp111 rpcbind 103 tcp111 rpcbind 102 tcp111 rpcbind 104 udp111 rpcbind 103 udp111 rpcbind 102 udp111 rpcbind 104 local111 rpcbind 103 local111 rpcbind 102 local111 rpcbind 151 udp668 mountd 153 udp668 mountd 151 tcp984 mountd 153 tcp984 mountd 132 udp 2049 nfs 133 udp 2049 nfs 132 tcp 2049 nfs 133 tcp 2049 nfs I opened up all these ports but i cant do an ls or write to nfs or whatever. Then i thought maybe it's trying something local so i added: $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state Even this does not work. Tcpdump shows me that when i have ipfw open, it only communicates with port 2049 and i don't see anything more. Can anybody help me out here? Additional info: { [EMAIL PROTECTED] } uname -a FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4 15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386 Mark. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW / NFSD
Post complete content of your rules file for review by people here on list. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Frasa Sent: Wednesday, January 25, 2006 4:04 AM To: freebsd-questions@freebsd.org Subject: IPFW / NFSD Hello, I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: program vers proto port service 104 tcp111 rpcbind 103 tcp111 rpcbind 102 tcp111 rpcbind 104 udp111 rpcbind 103 udp111 rpcbind 102 udp111 rpcbind 104 local111 rpcbind 103 local111 rpcbind 102 local111 rpcbind 151 udp668 mountd 153 udp668 mountd 151 tcp984 mountd 153 tcp984 mountd 132 udp 2049 nfs 133 udp 2049 nfs 132 tcp 2049 nfs 133 tcp 2049 nfs I opened up all these ports but i cant do an ls or write to nfs or whatever. Then i thought maybe it's trying something local so i added: $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state Even this does not work. Tcpdump shows me that when i have ipfw open, it only communicates with port 2049 and i don't see anything more. Can anybody help me out here? Additional info: { [EMAIL PROTECTED] } uname -a FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4 15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386 Mark. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW / NFSD
fbsd_user schreef: Post complete content of your rules file for review by people here on list. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Frasa Sent: Wednesday, January 25, 2006 4:04 AM To: freebsd-questions@freebsd.org Subject: IPFW / NFSD Hello, I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: program vers proto port service 104 tcp111 rpcbind 103 tcp111 rpcbind 102 tcp111 rpcbind 104 udp111 rpcbind 103 udp111 rpcbind 102 udp111 rpcbind 104 local111 rpcbind 103 local111 rpcbind 102 local111 rpcbind 151 udp668 mountd 153 udp668 mountd 151 tcp984 mountd 153 tcp984 mountd 132 udp 2049 nfs 133 udp 2049 nfs 132 tcp 2049 nfs 133 tcp 2049 nfs I opened up all these ports but i cant do an ls or write to nfs or whatever. Then i thought maybe it's trying something local so i added: $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state Even this does not work. Tcpdump shows me that when i have ipfw open, it only communicates with port 2049 and i don't see anything more. Can anybody help me out here? Additional info: { [EMAIL PROTECTED] } uname -a FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4 15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386 Mark. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Here is the list: # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add pif=vr0 # public interface name of NIC # facing the public Internet secure=ip2.of.this.box arcas=ip.of.this.box $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00100 allow ip from any to any out via $pif keep-state $cmd 00200 allow tcp from any to $arcas 80 in via $pif $cmd 00310 allow icmp from any to any in via $pif # Allow in secure from selected ip's $cmd 00410 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state $cmd 00411 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state # Allow in nfs requests on secured ip from own network only $cmd 00425 allow ip from x.x.x.x/24 to $secure setup keep-state # deny and log all packets that fell through to see what they are $cmd 00999 deny log all from any to any Mark. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW / NFSD
Mark Frasa wrote: I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: [ ... ] I opened up all these ports but i cant do an ls or write to nfs or whatever. You should not be running portmap and NFS on a firewall machine. You should not attempt to pass NFS or other filesharing through a firewall, except perhaps by using VPN tunneling. If this existing machine needs to do NFS to your other Linux boxes, it should be placed behind a properly hardened firewall which perhaps uses NAT to forward HTTP connections inside to it. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW / NFSD
Chuck Swiger schreef: Mark Frasa wrote: I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: [ ... ] I opened up all these ports but i cant do an ls or write to nfs or whatever. You should not be running portmap and NFS on a firewall machine. You should not attempt to pass NFS or other filesharing through a firewall, except perhaps by using VPN tunneling. If this existing machine needs to do NFS to your other Linux boxes, it should be placed behind a properly hardened firewall which perhaps uses NAT to forward HTTP connections inside to it. Let me explain more into detail; I have: INTERNET FIREWALL/NFSD/HTTPD Machine LINUXBOXLINUXBOX The boxes are on a /24 network and the firewall has 2 ip's 1 for local and 1 for outside connections, but both in the same subnet. I want to use a $secure ip for nfsd and ssh connection, while using @arcas as an ip for port 80 connections What i don't get is when i openup the $secureip for the /24 network i still get timeouts when writing to nfsd. Mark. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]