Solved NFS and PF questions

[michael_hackson]

Hello! I want to set up a NFS at home and use the stationary computer as the file server.
I have configured the NFS according to handbook and am in the middle of configuring the firewall and have some questions regarding it.

My thought is to use the external interface for internal traffic as well (wlan0) since I think it may not be necessary with extra rules and also I really can benefit from the wireless connection.
When looking at the rules I set from handbook I notice that I have used the rules:

## Drop all incoming
block all

## Block nonrouting IPs/Martians
block drop in on $ext_if from $martians to any
block drop out on $ext_if from any to $martians

And I wonder if it's not overkill to define non-routing IPs in $martians (eg. 192.168.0.0/16) when PF is set on "block all" already.

From a security point of view, how bad is it to allow incoming internal on the same interface as the external? One thing I can think of is that I will open the ports necessary for the NFS but in the ruleset I will only allow my two computers on the network to connect through their specified static IPs, so it shouldn't be any trouble. Are there any alternative configurations in interface one can make?

>> I would get similar effect with Samba or an ordinary Webserver but I think NFS seems smooth.

Maybe I am just overthinking this.

Can you think of any problems?

 

[SirDice]

From a security point of view, how bad is it to allow incoming internal on the same interface as the external?

On a scale from 1 to 10 it's about a 12. Keep internal traffic internal and external traffic external.

 

[michael_hackson]

Do you have any great links to where in the handbook I can find about how to properly set up a local network with allowance of internal traffic. Because so far I thought I would get this effect with the rule:

pass in on $ext_if inet proto tcp from $localcomps to port 2049 keep state
pass in on $ext_if inet proto { tcp, udp } from $localcomps to port 1023 keep state
+ pass out rules

Even though the interface in PF is defined as external, the rule itself only passes the internal "knocks" because of my local IPs in $localcomps, no?
Is this ^ to keep internal traffic as internal?

 

[michael_hackson]

And when I encrypt this traffic with Kerberos/Heimdal, eavesdropping on the internal traffic in $ext_if will be hard?

Edit: A better question would be: Can I use the same interface (wlan0) for internal and external traffic and still keep them separated in PF, without harsh security breaches.

 

[SirDice]

Internal traffic shouldn't be coming in on an external interface in the first place. That's what I meant with keep internal traffic internal.

If there's internal traffic on the external interface that means there's a 'short-circuit' somewhere on the network. This 'short-circuit' could then be used to circumvent the firewall, rendering it useless.

 

[michael_hackson]

Generally speaking it is a bad idea to have ports for NFS open on the external interface, even though you only pass from trusted local IPs? And it all ends up in a type of 'short-circuiting'?

Q: Is the proper(/only?) option to use ethernet cable and use its interface for internal traffic? Should this be possible if I cable-connect to the built-in switch in my router?
(First time setting up a LAN and I think that I am starting to get there)

>> As a server I guess it should be connected to the first port in the switch.

It feels a little effy doing it this way when my computers already can find eachother through pinging but I think I am starting to understand how it works.

Thanks!

 

[SirDice]

Can you provide a basic diagram of your network? I have a feeling we have different views of what constitutes internal and external. Knowing how your network is connected I'm sure we can provide better answers.

 

[zirias@]

Reading this, I get the impression there is no firewall (protecting a network) in the scenario described -- just a host-based packet filter aimed at protecting the one machine it runs on. Is this correct?

 

[michael_hackson]

So what I want to do is put NFS server on Station 1 (just a PC) and have the two others connect to it to store and get files.

To you it all may be internal traffic since its governor is the modem/router and not the host (Station 1) running PF.

Reading this, I get the impression there is no firewall (protecting a network) in the scenario described -- just a host-based packet filter aimed at protecting the one machine it runs on. Is this correct?

Yap, that is fully correct, no firewall except the one which I hope should be built into the modem/router (default gateway). Each of the units are their own hosts and have their firewalls configured.

 

[michael_hackson]

Also no host is currently acting gateway to another, they all connect by themselves to the router. I thought and viewed the traffic between each host and the router as external and if I wanted traffic between the hosts that would be internal to me.

 

[michael_hackson]

Update: I have now gotten further and have made a proper internal interface for sending packages between two hosts. At this point I am having internal traffic on wire between the hosts and external on the wireless. They can communicate with eachother separately on both interfaces when I put the internal on another subnet. What is bothersome at the moment is that when having netmask 0xfffffff0 on int_if (nfe0) and mask 0xffffff00 for ext_if (wlan0) system services for networking don't know how to start or restart. I get message:

michael_hackson@endlessvoid$: sudo service mountd reload
Password:
/etc/rc.conf: SE: not found
/etc/rc.conf: SE: not found
Cannot 'reload' mountd. Set mountd_enable to YES in /etc/rc.conf or use 'onereload' instead of 'reload'.

Even though it's properly set in /etc/rc.conf.

Goal: Have working wlan0 interface for Internet traffic, be able to browse web, and at the same time use the nfe0 (ethernet) for NFS server-client-transitions.
Question: If and how can I make it possible to run each interface with its own subnet and still be able to start and restart system services properly?
Currently: Can browse on both hosts, can ping both external and internal IPs on both hosts, but don't know how to do with services in /etc/rc.conf

As you can understand, the most convenient outcome will be to not cut the wlan0 connection everytime I need transitions on nfe0.

Cheers!

Edit: Maybe it can help to have NFS in jail. I'll try this.

 

[michael_hackson]

michael_hackson@endlessvoid$: ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
    ether 00:1b:fc:7c:e6:71
    hwaddr 00:1b:fc:7c:e6:71
    inet 192.168.10.251 netmask 0xfffffff0 broadcast 192.168.10.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex,master>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33184
    groups: pflog
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 00:18:4d:75:df:3d
    hwaddr 00:18:4d:75:df:3d
    inet 192.168.10.111 netmask 0xffffff00 broadcast 192.168.10.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: IEEE 802.11 Wireless Ethernet OFDM/18Mbps mode 11g
    status: associated
    ssid TN_24GHz_0C7D93 channel 6 (2437 MHz 11g) bssid c4:ea:1d:0c:7d:93
    regdomain ETSI country SE ecm authmode WPA2/802.11i privacy ON
    deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit txpower 30 bmiss 7
    scanvalid 60 protmode CTS wme burst roaming MANUAL
    groups: wlan

 

[michael_hackson]

It's all working now. My setup may not be what you would find traditionally and therefore the definitions of internal and external can be different. What I did was to go with SirDice directive to keep internal and external traffic separated.

I set up a proper internal interface (ethernet autoselect) and allowed the traffic in /etc/pf.conf as followed:

localcomps = "{ 192.168.10.250/28, 192.168.10.252/28 }"

int_if = "nfe0"

pass in on $int_if proto { tcp, udp } from $localcomps to any port { 2049, 1023
, 111, 1110, 4045 , 634 } keep state
pass out on $int_if proto { tcp, udp } to any port { 2049, 1023, 111, 1110, 404
5, 634 } keep state

The 634 is the port whereat mountd(8) is bound.

It may be a little generous with those ports but since I currently only connect two computers with cable it should be alright. To be able to restart network services and use different subnets I found the easiest approach to ifconfig the internal interface in one of my startup scripts, in that way I can restart sevices like netif and after that just restart the daemon provided by my script in /etc/rc.d/.

Peace of cake.