Solved FreeBSD NAS as NFS share on Proxmox, pf configuration

[hakova]

Hi,

I can use my FreeBSD NAS as a perfect NFS share for Proxmox when pf is disabled. However, when pf is enabled, traffic is somehow blocked despite the fact that pf allows it through several ports as seen below. Are there some udp ports for NFS just like SAMBA that I need to allow traffic through? What am I missing?

Here is my /etc/pf.conf. Despite the line "block drop log all" I don't see the blocked traffic in pflog for some reason either.

# allowed tcp ports
nfs_ports = "{ 111 873 992 999 2049 30000 }"
smb_ports = "{ 81 137 138 139 445 }"
allowed_tcp_ports = "{ 81 111 137 138 139 445 873 992 999 2049 30000 }"

# VLANs etc.
VLAN1 = "{ 192.168.1.0/24 }"
LAN = "{ 192.168.0.0/16 }"

# skip loopback traffic
set skip on lo

# default deny
block drop log all

# allow ping from VLAN1
pass quick inet proto icmp all
# pass out proto inet proto udp from any to port 33433 >< 33626
# pass in quick log inet proto icmp from $VLAN1 to any icmp-type echoreq
# pass out quick log inet proto icmp from any to $VLAN1 icmp-type echoreq

# allow SSH only from specific hosts
pass in log proto tcp from $VLAN1 to any port ssh keep state
pass in log proto tcp from $LAN to any port $allowed_tcp_ports keep state
pass in log proto udp from $LAN to any port $smb_ports keep state

# allow all outgoing traffic
pass out all keep state

 

[Phishfry]

Not critical but what version of NFS?

 

[SirDice]

NFSv4 only uses port 2049. NFSv3 uses RPC over port 111, and the server connects back to the client on a random port. Terrible to firewall. Stick to NFSv4 and only open port 2049.

As for Samba (SMB/CIFS), only port 445 is needed. The other ports 137, 139, etc. are for old pre-Windows 2000 SMB filesharing. Just kill it, you don't need any of it.

 

[hakova]

Thank you so much for both responses.
My /etc/exports is as follows

V4: /

All of my shares are defined by zfs sharenfs commands/statements.

How can I confirm that nfs client doesn't fall back to v3 and connects only with v4? Or if it does, the server doesn't allow connection by v3? I hope these questions make sense.

As for Samba, I have Sonos speakers. I will try closing other ports mentioned by SirDice, only keep 445 open and see if they can still connect to my NAS. I will report back when I test it.

Thank you again!

 

[T-Daemon]

How can I confirm that nfs client doesn't fall back to v3 and connects only with v4? Or if it does, the server doesn't allow connection by v3? I hope these questions make sense.

nfsv4(4)

SERVER SETUP
     To set up the NFS server that supports NFSv4, you will need to set the
     variables in rc.conf(5) as follows:

           nfs_server_enable="YES"
           nfsv4_server_enable="YES"
     ...
     In addition, you can set:

           nfsv4_server_only="YES"

     to disable support for NFSv2 and NFSv3.

You can verify the mount options with nfsstat -m

 

[hakova]

You can verify the mount options with nfsstat -m

All of the clients that mount the shares in my NAS seems to be falling back to NFSv3.
Client #1:

# nfsstat -m
/home/user/media from server:/pool0/media
 Flags: rw,relatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.203,mountvers=3,mountport=823,mountproto=udp,local_lock=none,addr=192.168.1.203

Client #2:

# nfsstat -m
/mnt/nas/immich from 192.168.1.203:/pool0/immich
 Flags: rw,relatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,fatal_neterrors=none,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.203,mountvers=3,mountport=823,mountproto=udp,local_lock=none,addr=192.168.1.203

/mnt/pve/immich from 192.168.1.203:/pool0/immich
 Flags: rw,relatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,fatal_neterrors=none,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.203,mountvers=3,mountport=823,mountproto=udp,local_lock=none,addr=192.168.1.203

/mnt/pve/nas from 192.168.1.203:/pool0/backup
 Flags: rw,relatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,fatal_neterrors=none,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.203,mountvers=3,mountport=823,mountproto=udp,local_lock=none,addr=192.168.1.203

/mnt/pve/nasbkup from 192.168.1.203:/pool0/hyper
 Flags: rw,relatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,fatal_neterrors=none,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.203,mountvers=3,mountport=823,mountproto=udp,local_lock=none,addr=192.168.1.203

This is the relevant part of my /etc/rc.conf.local:

rpcbind_enable="YES"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfs_server_flags="-u -t"
nfsuserd_enable="YES"
nfsuserd_flags="-domain example.org"
mountd_enable="YES"
mountd_flags="-r -p 624" # force mountd to bind to the specified port

Since the clients are all linux hosts, and I cannot figure out how to specify from the client side to explicitly use nfsv4 to mount the shares I am going to stop spending time on this issue and just not use pf on the NAS for now. I really don't want to specify using NFSv4 explicitly on the server side, since it has the potential to break so many things that are currently working without pf enabled. This is in my home LAN, which is behind a firewall and should be safe enough.

Another funny thing is even when pf blocks the nfs access to my NAS, I cannot see anything blocked by it by issuing tcpdump -n -e -ttt -i pflog0 inbound and action block and on em0 on the NAS.

 

[T-Daemon]

All of the clients that mount the shares in my NAS seems to be falling back to NFSv3.

Have you used on the Linux clients the mount.nfs4(8) command, or specified the mount(8) "nfs4" "vfstype" option?

$ sudo  mount.nfs4  192.168.1.60:/media  /mnt

$ sudo mount -t nfs4 192.168.1.60:/media  /mnt

$ nfsstat -m
/mnt from 192.168.1.60:/media
 Flags: rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.50,local_lock=none,addr=192.168.1.60

 

[hakova]

Have you used on the Linux clients the mount.nfs4(8) command, or specified the mount(8) "nfs4" "vfstype" option?

Thank you so much for this pointer, I could not find it myself!

I can now confirm that all linux hosts can mount their nfs shares with version 4.2 and the only ports open in pf are 445 (tcp and udp) and 2049 (tcp). Everything is working as expected, although there seems to be a little more latency in browsing the nfs share contents; not a deal breaker at the moment.

Thank you all so very much!