PF NFSv4 vs PF

D

drhoome

Hello Friends,

I'm kinda new on FreeBSD firewall and i'm having some issues setting up a NFSv4 file server with a PF firewall. Every time I enable my firewall I get dropped from NFSv4. My pf.conf is very simple and it looks its working for both SSH and SMB but not for NFS:
Code: 
block in all
pass out all keep state
services = "{22, 445, 2049}"
pass in proto {tcp, udp} from 172.16.0.0/23 to 172.16.1.5 port $services keep state

When mouting on a linux box without PF i get mounted v4 with no problem, with PF disabled I just get a timeout:

Code: 
$ sudo mount -v -t nfs4 -o noatime,nodiratime,noexec,nodev,nosuid,async 172.16.1.5:/storage /tmp/storage
mount.nfs4: timeout set for Sun Mar  5 14:47:49 2023
mount.nfs4: trying text-based options 'vers=4.2,addr=172.16.1.5,clientaddr=172.16.1.142'
I've also ran rpcinfo -p and got 111 and 897 (probably for v3 and lower but..) i've tried adding them just to make sure that it wasn't falling back to v3 for some reason and the same issue. Also tried with services sunrpc, nfsd, nfsd-status, nfsd-keepalive from /etc/services without success:

Code: 
$ sudo rpcinfo -p      
Password:
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100000    4 local    111  rpcbind
    100000    3 local    111  rpcbind
    100000    2 local    111  rpcbind
    100005    1   udp    897  mountd
    100005    3   udp    897  mountd
    100005    1   tcp    897  mountd
    100005    3   tcp    897  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs

Looks like NFSv4 is using a random not shown port to connect which shoudn't be the case or the connection state is not stable somehow.
 
drhoome said:
Looks like NFSv4 is using a random not shown port to connect which shoudn't be the case or the connection state is not stable somehow.
Click to expand...
If you have a fast internet connection it is recommended to use TCP instead of UDP, as you may experience packet loss with UDP. Is rcrpcbind port mapper running? This is always a requirement on Linux. idmapd is also needed on Linux as far as I remember. And I would also try putting your mount in fstab and then mounting it via mount -o remount /mountpoint Perhaps one of your export options is not recognized. And I don't know, but shouldn't you also add ports 897 and 111 to your pf.conf ? I'm not an NFS4 expert, I haven't used it in FreeBSD yet, I just read about it in a Linux system admin course.
 
Port 111 is RPC and is required for NFSv3. For NFSv4 only port 2049 is used.
 
Yes, the port changes. It is advisable to set the desired ports in the nfs mount variable in rc.conf. I think it takes the -p and/or "-o port...." argument, I think. See here. Do check it with right version for your OS.
 
You must log in or register to reply here.
Back
Top