PF how can i set some rule to workaround keep state

i set a rule "pass out all keep state" ,which to make outgoing packet from local would not be blocking and ack packet can pass in.
some reason this not working for nfs,is there any workaround to instead of "keep state" .outgoing packet has random src port
 
 

SirDice

Administrator
Staff member
Administrator
Moderator
NFSv3 uses RPC that opens a random port, awful to firewall. Use NFSv4, that only uses TCP/2049 and no "dynamic" ports.
 
Or keep NFS traffic local to the subnet it is used on. You usually don't want to have all file transfers between your clients an fileserver passing through your firewall...

(And I really REALLY hope OP isn't using NFS over the WAN/internet...)
 

SirDice

Administrator
Staff member
Administrator
Moderator
Or keep NFS traffic local to the subnet it is used on. You usually don't want to have all file transfers between your clients an fileserver passing through your firewall...
Big networks typically have specific subnet(s) (One or more VLANs) for storage and if everything is firewalled between individual VLANs you're going to have to poke a hole in those firewalls. NFSv3 was a royal pain in the posterior due to the dynamic nature of the RPC ports (similar to FTP without the active/passive modes). NFSv4 'solved' this by doing everything on a single port in a single direction.

(And I really REALLY hope OP isn't using NFS over the WAN/internet...)
WAN isn't a problem, except it typically has quite a bit of latency making it fairly impractical. The internet? Yeah, don't do that.
 
seems tcp go to the four-way FIN completes, and pfctl moves the state to FIN_WAIT_2.
When a "df" (or any operation performed on the nfs mount), the nfs client will initiate a new session (SYN) using the same port number.
pf will drop/reject the SYN because of incorrect state.
pf cleans-up FIN_WAIT_2 state only on "tcp.closed" timeout, AND the timeout is started n seconds after a new state entry (i.e. a new unique session) is created
 
Top