Professional Web Applications Themes

IPFILTER and NFS - FreeBSD

Howdy, Trying to get IPFILTER and NFS working. A google search didn't show much about my specific issue. With ipfilter working, nfs initially works, until someone tries to login. Then it stops working. With my firewall down on the NFS-CLIENT machine, it works fine. Any ideas? It appears to be an issue with random ports.... Thanks, Matt...

  1. #1

    Default IPFILTER and NFS

    Howdy,

    Trying to get IPFILTER and NFS working. A google search didn't show
    much about my specific issue. With ipfilter working, nfs initially
    works, until someone tries to login. Then it stops working. With my
    firewall down on the NFS-CLIENT machine, it works fine. Any ideas?

    It appears to be an issue with random ports....

    Thanks,

    Matt
    Matt Guest

  2. #2

    Default Re: IPFILTER and NFS

    Matt Juszczak wrote: 

    It is, NFS is an RPC service where the RPC deamon is requested to for
    info on which port mountd binds to. I wrote an howto for diskless
    clients, www.daemonsecurity.com/pxe/ - here's what to do:

    Enable nfs in /etc/rc.conf:

    rpcbind_enable="YES" # Run the portmapper service (YES/NO).
    nfs_server_enable="YES" # This host is an NFS server (or NO).
    mountd_enable="YES" # Run mountd (or NO).
    mountd_flags="-r -p 59" # Force mountd to bind on port 59

    As a minimum you need to enable rpcbind, nfsserver and mountd. lockd and
    statd provides file locking and status monitoring. By default, when
    mountd starts it binds to some arbitrary port, and rpc is used to
    discover which, making it imposible to firewall. With option '-p' mountd
    can be forced to bind to a specific port. Port 59 is assigned to "any
    private file service" (see /etc/services).

    This limits the number of ports relevant to 59, 111 and 2049. You can't
    force lockd and statd to bind to specific ports (they are alos RPC
    services) and AFAIK you can't have disk quotas work correctly because of
    this.

    AFAIK NFS4 should address these problems, but the NFS4 server is still
    experimental.

    Till then, RPC is a security nightmare.

    Erik
    --
    Ph: +34.666334818 web: http://www.locolomo.org
    S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
    Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22 :DE:4C:B9
    Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73 :25:67:C2
    Erik Guest

  3. #3

    Default Re: IPFILTER and NFS

    Problem is that I need to firewall the client.

    I dont have access to the nfs server... only the client. Your
    configuration info showed me making changes on the server. is there a
    way to make the client work ok?

    -Matt

    Erik Nørgaard wrote:
     
    >
    >
    > It is, NFS is an RPC service where the RPC deamon is requested to for
    > info on which port mountd binds to. I wrote an howto for diskless
    > clients, www.daemonsecurity.com/pxe/ - here's what to do:
    >
    > Enable nfs in /etc/rc.conf:
    >
    > rpcbind_enable="YES" # Run the portmapper service (YES/NO).
    > nfs_server_enable="YES" # This host is an NFS server (or NO).
    > mountd_enable="YES" # Run mountd (or NO).
    > mountd_flags="-r -p 59" # Force mountd to bind on port 59
    >
    > As a minimum you need to enable rpcbind, nfsserver and mountd. lockd
    > and statd provides file locking and status monitoring. By default,
    > when mountd starts it binds to some arbitrary port, and rpc is used to
    > discover which, making it imposible to firewall. With option '-p'
    > mountd can be forced to bind to a specific port. Port 59 is assigned
    > to "any private file service" (see /etc/services).
    >
    > This limits the number of ports relevant to 59, 111 and 2049. You
    > can't force lockd and statd to bind to specific ports (they are alos
    > RPC services) and AFAIK you can't have disk quotas work correctly
    > because of this.
    >
    > AFAIK NFS4 should address these problems, but the NFS4 server is still
    > experimental.
    >
    > Till then, RPC is a security nightmare.
    >
    > Erik[/ref]


    Matt Guest

  4. #4

    Default Re: IPFILTER and NFS

    Matt Juszczak wrote: 

    Just let your client connect to any port on the server - keep state so
    you can block incoming connections:

    pass out quick on <interface> proto tcp from <client>/32 \
    to <nfs-server>/32 flags S keep state
    pass out quick on <interface> proto udp from <client>/32 \
    to <nfs-server>/32 keep state

    Erik
    --
    Ph: +34.666334818 web: http://www.locolomo.org
    S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
    Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22 :DE:4C:B9
    Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73 :25:67:C2
    Erik Guest

  5. #5

    Default Re: IPFILTER and NFS

    Erik,

    I already have that :-(


    ---snip---
    # Default pass out
    pass out quick on em0 all keep state

    # Fragmented/Short/Opts/Fprinting packets
    block in quick on em0 all with ipopts
    block in quick on em0 all with frag
    block in quick on em0 proto tcp all with short
    block in quick on em0 proto tcp all flags FUP

    # Block local nets
    block in quick on em0 from 255.255.255.255/32 to any
    block in quick on em0 from 192.168.0.0/16 to any
    block in quick on em0 from 172.16.0.0/12 to any
    block in quick on em0 from 127.0.0.0/8 to any
    block in quick on em0 from 10.0.0.0/8 to any
    block in quick on em0 from 0.0.0.0/32 to any
    ---snip---


    Erik Nørgaard wrote:
     
    >
    >
    > Just let your client connect to any port on the server - keep state so
    > you can block incoming connections:
    >
    > pass out quick on <interface> proto tcp from <client>/32 \
    > to <nfs-server>/32 flags S keep state
    > pass out quick on <interface> proto udp from <client>/32 \
    > to <nfs-server>/32 keep state
    >
    > Erik[/ref]


    Matt Guest

  6. #6

    Default Re: IPFILTER and NFS

    Matt Juszczak wrote: 

    You haven't told a word about your network setup or server's ip, and I
    don't know your default rules. Your ruleset is mostly useless without
    that info.

    Have you compiled with default block? If not, then your client is open
    to incoming connections from almost anywhere, and if you have, then your
    block rules have no use.

    NFS is udp - I think you can force tcp, but I think this requires
    changes on the server also.

    udp is state less, so state full filtering is somewhat a guess work. It
    works this way for say dns: Your host sends out a udp packet with a dns
    request, ip-filter knows dns and so expect udp packet back within
    usually a minute.

    Now, ip-filter may not now nfs that well, or the nfs protocol may just
    be wierd. Since you know your nfs server, you could do:

    pass in quick proto udp from <nfs server>/32 to <client>/32

    For clarity, I suggest you write two blocks of rules, incoming and
    outgoing, with both tcp and udp protocols for that server. It makes it
    easier to see what is going on.

    Make sure you start your ruleset with your default rules explicit,

    block in log all
    block out log all

    and enable logging on _all_ block rules. Start ipmon to log to a
    separate file.

    Default rules should never match, if they do it is indication that there
    is something you have not taken care of. OK, this is not strictly true,
    but if they never match then it indicates you have written an explicit
    rule for each posible packet - ie. you have thought about everything.

    If you still have problems, submit your ipmon log file and your full
    tested ruleset.

    Cheers, Erik
    --
    Ph: +34.666334818 web: http://www.locolomo.org
    S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
    Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22 :DE:4C:B9
    Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73 :25:67:C2
    Erik Guest

Similar Threads

  1. ipfilter problems
    By Angelin in forum FreeBSD
    Replies: 2
    Last Post: April 4th, 03:27 PM
  2. Vim and NFS and ipfilter(strange problem)
    By HENCHOZ Daniel in forum FreeBSD
    Replies: 0
    Last Post: February 21st, 11:07 AM
  3. ipfilter outgoing
    By Sandy Rutherford in forum FreeBSD
    Replies: 0
    Last Post: February 17th, 12:34 AM
  4. Sunscreen 3.2 or Ipfilter
    By Chris in forum Sun Solaris
    Replies: 3
    Last Post: August 7th, 05:03 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139